11241100x80000000000000002441884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.602{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.602{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F569C7DEEF69607AB3DBF1C73E796AF,SHA256=82DF96FD157551850B210EF5865DAE0C721C12169E720DFF2C3F452BCADCF601falsefalse - insufficient disk space 23542300x80000000000000001527466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.545{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CD32CDCB3D3C322313AD519D954B3F,SHA256=E871F128C456ABEB825C13B42A054060CD07E8FCB84E14B8A739B3F1BA7EB5C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.284{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002441881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.284{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 10341000x80000000000000001527465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.605{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.605{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9181D7374044F75A71A2A4FBAB8D1D,SHA256=05E7A16DAEED7E3389DA35AD36087E099CAF2EA3D1E3E2E9F5D8316E5D45097Cfalsefalse - insufficient disk space 23542300x80000000000000001527469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.551{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DBDDB57C38D70460EF6C217A6AB225,SHA256=C614422220345C1B2A06C54308DCBD00D1BE1B74B48B7AD3284AE8815BEDF21E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002441885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B9D5C22DBBBD908C1F04240CE05EA6,SHA256=36026BD8905EC95FA4084CE468C57A298496051BE0DE782C4886DA30C2A778ADfalsefalse - insufficient disk space 10341000x80000000000000001527468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:43.607{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:43.607{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095C620036025894CA8FC02118B47FDF,SHA256=12475048E861F295ADAC04C475655A69BB4F9F107E6CC74580F5E896BA14A623falsefalse - insufficient disk space 23542300x80000000000000001527472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.554{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E9F171C17E51AD681759CD4A7D532,SHA256=7D158AC268A5D04408543A7E24B73652DFDB2E48FF3E8B26E08F807A9303D47A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002441889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:40.741{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49255-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x80000000000000001527471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.610{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.610{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4B8A81929E0EBCE9544631160C1F8B,SHA256=7D0DB2E810FC8C039EED576429E5C1FBBB8ACB0481227601B5150F592F2D2147falsefalse - insufficient disk space 23542300x80000000000000001527475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.557{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EA724C47A0C3B0261490ED28DBFCF3,SHA256=1435D81422CCC25D1562DBF98902F435720545FD5777C99C1A41F86566268C53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002441892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=612C881289FABD2AD725EDE5A61308DD,SHA256=D57A0248B8300CBF329CADE694DB79A9601014F512AB80EB7EA1C43758C967EBfalsefalse - insufficient disk space 10341000x80000000000000001527474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:45.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:45.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E112A6CFC8C2E9A7E7CAA9019E83BA5,SHA256=D6D5D021BDEA3EEF8CDB2D4E1309CD10871D238A7089AE10712A06B4FE0CAAFFfalsefalse - insufficient disk space 354300x80000000000000001527481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:39.602{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1045-false10.0.1.12-8000- 23542300x80000000000000001527480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.563{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0136E1A2C97FC7B130DCE733604B77EC,SHA256=A0F57EB9389483A153B067EE079309708BDBDCCB27BF42AF25524F977E2BEA11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002441896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.614{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49256-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001527479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.021{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=461351E1F172F28CD71115034E5704E6,SHA256=6043E4A185852399B63C2D852560B05832456EEEF7819CE3040D1034FAB6CD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.021{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B71AEAD3D5FB4110A892BD53C672EE,SHA256=5BEEA16FA76715A13DACF0C3910AF0A889225239B97AC86D344373927C058FB8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:46.846{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:46.846{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345FA711B46C0C68BD261E052567E564,SHA256=546A14D892C5EEBB07CDBB5E8C2854FAF2915AC02A62851C51D3D883F4A8EA51falsefalse - insufficient disk space 23542300x80000000000000001527484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.570{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92A702780CC0C225A22F7FB11149160,SHA256=2BB5514E4E114A417A45FFAC7A0AA271501E961D0DF761E0EC8B0A5FB90C63BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.901{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.901{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658BDA3DD7B338F5141E4B4D37137B38,SHA256=6222C42868D00E1E90C963044C17256ACD50AA017CB01319D5E7A93759D632F6falsefalse - insufficient disk space 23542300x80000000000000001527487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.573{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D5644B28B5953EFC145E3B0F352D8F,SHA256=EC56B735CB83CD556F2FBA0C051B5F3E22D0B6258719060AC609A11083F9B47E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:48.951{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:48.951{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94949246F44BBCF46D3E28450DAFE74,SHA256=D6128B20D10374F1D036A135BC7DC5BEF2602157E435F762C732C1B75B2AEC76falsefalse - insufficient disk space 23542300x80000000000000001527490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.576{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45AE881AB6E1EBC12B3C13CF7225A06,SHA256=11C62E67E2DF424AB1E908B31D4F5DE6EF54517732420A59DE87620FB3252D86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.985{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.985{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C1D94772312340F9671498FE27EEE4,SHA256=F4003507D8F86B22476873CE557F2D32DB3021B59B9B9E6F88777ED9D8AE27AAfalsefalse - insufficient disk space 23542300x80000000000000001527494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.593{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.580{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091D153352563AD94A0B33FA51C3F03,SHA256=173FCE522A633D500A87138A13903892A3245F0C9DBFEF49DCA43E20334D8B49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002441907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BFD8CE87E65D937E38D6EC4F4ED353F,SHA256=716AB510E497E301575B11A5B76D891C6F9E4EDFF594C23524AECA96C292599Cfalsefalse - insufficient disk space 11241100x80000000000000002441906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002441905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF14F034B5B5FB4B096AA4A1B45DAB3D,SHA256=15DD9125CAB973EB3AB25191DF30A02A0FF8E438C111F2B3C5F87FEBEBB2CDD1falsefalse - insufficient disk space 10341000x80000000000000001527492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.039{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1047-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001527500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.738{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1046-false10.0.1.12-8000- 23542300x80000000000000001527499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.599{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7547B544E3A06F084394609A545EFEEA,SHA256=D801498B731FC0D9D00449AE65281B40F8DA275D6484CACFAD7F8495B7E01A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002441911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.626{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49257-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001527498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.197{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CA781D447C01AB9BB49E131EA619E5,SHA256=2A7B9E0FF2B68E056772DA185D9722D2E8269D55D1E7CB198600B3449ECDB739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.196{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=461351E1F172F28CD71115034E5704E6,SHA256=6043E4A185852399B63C2D852560B05832456EEEF7819CE3040D1034FAB6CD1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.182{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1048-false10.0.1.12-8089- 23542300x80000000000000001527504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.605{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762F4B1453DDEFD6EF488EC528DB1B9A,SHA256=4168344FF948B6757F7966BE8ACF9C5C44375806FF4F5871DB0235ADE1EBCD0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:51.205{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:51.205{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593759FE3DEAF19480D2C979589453C,SHA256=694C2C2FDF45433383FE76F10C1BC40AF3B6D35D50791498CA0059C791365293falsefalse - insufficient disk space 10341000x80000000000000001527503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.613{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2595EEC46071FBD8D70CFD2BBB8A6DFB,SHA256=5ED4FEEE7E910C454AEA36ACDCE471F4E7F3B4B09A295B7B23EA5C6A51BDCB17,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.209{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.209{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D1CD41ABACE0B670D9B5E1DC75DF18,SHA256=91C07A7D1860CA5C4AEABE0DE5F36EFBA433FA665D74EA1A7F0A3713617BBD8Afalsefalse - insufficient disk space 10341000x80000000000000001527516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.092{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.089{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.088{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001527506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.015{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B2BF4A6127285B0D72408A91427DFB8,SHA256=C2D2FFB3177DBC4D1A7F1C3422A3D962FF4136957AF142EB5482FBEB1B795E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.616{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2911FF42AABB191FFA41560AFFB617F,SHA256=1D584796A0CEFE3983CE79A9E8FABC3CF42DDBCA1A1D315038FD229E3624DD64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:53.212{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:53.212{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E4AEB8017BC4B4BD6B215CA3065605,SHA256=1E9BF03EFD7329045BBCAD8AAF509DD7FB748680E43D60CB0345B696D0E6892Efalsefalse - insufficient disk space 10341000x80000000000000001527520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.092{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CA781D447C01AB9BB49E131EA619E5,SHA256=2A7B9E0FF2B68E056772DA185D9722D2E8269D55D1E7CB198600B3449ECDB739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.639{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01993CE520E4ADA69C278AFE0C6EA62B,SHA256=6768B6235A363FC8ACD5D7B12BC50EF9D38D4F584DB488552401F557B76D0391,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000002441922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D5A5E1E80B4B509591B79FC257D993,SHA256=89C766F746DB92EAE5CA3F3C023EDCFDE6469374020C93F694B625D8458C8856falsefalse - insufficient disk space 23542300x80000000000000002441920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED77C3DD893184E31235B88F56DA2394,SHA256=255783DA3C8F57FB971871FAACEEE6AF10E82A526B343AA585146CEFE22D97CFfalsefalse - insufficient disk space 11241100x80000000000000002441919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002441918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BFD8CE87E65D937E38D6EC4F4ED353F,SHA256=716AB510E497E301575B11A5B76D891C6F9E4EDFF594C23524AECA96C292599Cfalsefalse - insufficient disk space 10341000x80000000000000001527523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.642{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189A31E18D8AD9684CD6121194F52612,SHA256=AFC8391B2678672379A09F4F9C2EE915398E3D17BE92DF04322BF7B30BEA8361,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002441926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.669{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49258-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002441925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:55.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:55.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DBB0853685414F24BD50E0DC6A8586,SHA256=FB3FBA921435C1375BCA2CB8BCCFFA1D0E887987B60AA6556C3F11991F4174D9falsefalse - insufficient disk space 10341000x80000000000000001527527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.472{761B69BB-818A-607D-0B00-00000000BA01}6323780C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001527526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.957{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001527544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.065{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1050-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001527543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.065{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1050-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001527542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.635{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1049-false10.0.1.12-8000- 23542300x80000000000000001527541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.651{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5B73DD48E88D9DC39ADA860D7A4275,SHA256=40FA6C99D5E04129DB6D81AB08C3D58E3DD240F02BFCA110243607FB78D5DC4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002441933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.385{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.385{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F016647BB3C18300E1E1DE1933DDD9,SHA256=CA4DAF4E021A5770C9BC368648913749F154674E9A054D098BF87E1713C90B55falsefalse - insufficient disk space 10341000x80000000000000001527540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.422{761B69BB-A790-6081-0D83-00000000BA01}58926860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.276{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.273{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.273{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001527531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.047{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80ECD3E667A44F13891CD8E83D5CF037,SHA256=BE1A55AA8DB35EFE5F0FB7BC66082670279677C63AB0CA227FCC84BE4E457F85,IMPHASH=00000000000000000000000000000000falsetrue 24542400x80000000000000002441931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=C9D47CE6713CBF19C63C2BD94C15B8B2,SHA256=6B2E6923C64CE1CBAAE9E19E3C9EA208522A9684B0DE688150D5CEA7B732F63Ftrue 10341000x80000000000000002441930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002441929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002441928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.322{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeC:\Sysmon\CLIP-C9D47CE6713CBF19C63C2BD94C15B8B26B2E6923C64CE1CBAAE9E19E3C9EA208522A9684B0DE688150D5CEA7B732F63F2021-04-22 16:42:56.322 10341000x80000000000000002441927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.322{21761711-83AE-607D-1D00-00000000BB01}19607576C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.763{761B69BB-A791-6081-0F83-00000000BA01}64605620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.671{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFC62F1FE6D9F7BC85BABE0A49D2D46,SHA256=C2AAAF9EEEEF62A3DBC6AA1B973118C7E16E7FAE34B8D06837FD82E3AB5C3A76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002441946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002441945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002441944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002441943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList 12241200x80000000000000002441942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000002441941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000002441940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 12241200x80000000000000002441939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids 12241200x80000000000000002441938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x80000000000000002441937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000002441936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000} 11241100x80000000000000002441935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.387{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002441934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.387{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACFC2F9EF8FC0049D466814DD9AD203,SHA256=E483BA740BCB8EEBF2FF6E0AD485C8F3B557F91CC9B2DFE63AC2637FF730F227falsefalse - insufficient disk space 10341000x80000000000000001527563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.623{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001527555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.575{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.575{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.287{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4836EE988B799E61F550B045573474F,SHA256=5A8B0408A85AF2A87F59D1740405B1B757592386B174C7F4EBCB2E7253E55E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.684{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92147FB860CC146CF8B99FE8F642F0F,SHA256=FBF6B59630B0F0E087AEC92C4AA3A5080D490D0776046D693C90F45B49398E07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002442680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNK2021-04-22 16:42:58.988 18141800x80000000000000002442679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744\srvsvcC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE 734700x80000000000000002442678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 13241300x80000000000000002442677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5E44\102C5E44Binary Data 12241200x80000000000000002442676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5E44 12241200x80000000000000002442675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery 12241200x80000000000000002442674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency 12241200x80000000000000002442673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency 12241200x80000000000000002442672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems 12241200x80000000000000002442671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\;u4 12241200x80000000000000002442670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery 12241200x80000000000000002442669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C 12241200x80000000000000002442668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1C 10341000x80000000000000002442667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}37844720C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\windows.storage.dll+3c6d1e|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.json2021-04-20 20:57:22.806 23542300x80000000000000002442665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.jsonMD5=7A29F1E157244591277E3C25F29A8029,SHA256=05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771falsefalse - insufficient disk space 10341000x80000000000000002442664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}37844720C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3c9e7e|C:\Windows\System32\windows.storage.dll+3c5b4f|C:\Windows\System32\windows.storage.dll+3c6c90|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList\MRULista 12241200x80000000000000002442662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList 10341000x80000000000000002442661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c73e8|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F127F9949BDC922DFD3997F86306F82C,SHA256=251B023FE8E16B41A39BC4F8780A9ECECE7DC16DB0C2C3A3D94F0139392285C6falsefalse - insufficient disk space 734700x80000000000000002442656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 10341000x80000000000000002442655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21288044C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000002442654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21288044C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 10341000x80000000000000002442652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21287204C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000002442651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21287204C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.934{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.934{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B8D4D2751CA01A43A006BB954715B55,SHA256=E1DC257075F1B491518EB37508986DDC1C503067AEEDB561E84C5DE91C8017F1falsefalse - insufficient disk space 10341000x80000000000000002442648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150606\VirtualDesktopBinary Data 12241200x80000000000000002442645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150606 10341000x80000000000000002442644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059falsefalse - insufficient disk space 12241200x80000000000000002442641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=A2DA2F37011629C919B6BC2F261600A4,SHA256=3B904FF382D604527E2853C0FA2780F591C7AC235CC98758E997750FC138AA83trueMicrosoft CorporationValid 12241200x80000000000000002442639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002442616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.856{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 11241100x80000000000000002442615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.854{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.854{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5114B1326C47EC68F9833F710063F68C,SHA256=3274AA8A505497EEB3D58B3C4FAF8092939498F4AB080B4595F4AAF81600EF4Efalsefalse - insufficient disk space 734700x80000000000000002442613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 734700x80000000000000002442612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000002442611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71trueMicrosoft WindowsValid 13241300x80000000000000002442610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.803{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000000) 13241300x80000000000000002442609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.803{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000000) 23542300x80000000000000001527568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.626{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D79594171CFC04D775AC53A46BD9C3A,SHA256=02C81D9666525E8016FB45294C437D9B26E31C7045591F9132B7203A5724478D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.576{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.576{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\26C30D96.png2021-04-22 16:42:58.787 11241100x80000000000000002442607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9924ABA9.png2021-04-22 16:42:58.787 11241100x80000000000000002442606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5739D848.png2021-04-22 16:42:58.787 11241100x80000000000000002442605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B1FBD6A3.png2021-04-22 16:42:58.787 13241300x80000000000000002442604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 13241300x80000000000000002442603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000001) 13241300x80000000000000002442602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000001) 734700x80000000000000002442601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000002442600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid 734700x80000000000000002442599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msxml6.dll6.30.14393.4350MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=C5045923028C8BE9DC37AD629100F907,SHA256=4909F1718D20D5CF38DADC30750023DE074E8FE4BA1D7E17AA0F1A2D5DF5745FtrueMicrosoft WindowsValid 13241300x80000000000000002442598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1CBinary Data 12241200x80000000000000002442597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000002442596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000002442595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000001) 734700x80000000000000002442594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=5EC58D31A1B7A5F5E00E7D7D71A336A4,SHA256=716354C33ED74A02ABFF15498EE619D9E916C5DD268EA59A7AC5C8F5BEDAAA57trueMicrosoft CorporationValid 12241200x80000000000000002442593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002442570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002442569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4350 (rs1_release.210407-2154)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=08D22BC06420E0B4389F946ABDC798AE,SHA256=54455722DFE424293D6F1FBCA3DAC91127C77EAF26421C51C9D54009F4F9EE55trueMicrosoft WindowsValid 12241200x80000000000000002442568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000002442567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\Desktop\5952598816096256\~$document-752139500.xlsm2021-04-22 16:42:58.718 12241200x80000000000000002442566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4350_none_aecb7b4dddd42c62\GdiPlus.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=22905195515813858B52CE4DC79B3FB9,SHA256=CC74B32225A286C5BE81CE792FF7AF86F6AB434519A4A47B7A1CC364D8DF18D9trueMicrosoft WindowsValid 12241200x80000000000000002442560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000002442542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1CBinary Data 12241200x80000000000000002442541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C 12241200x80000000000000002442540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery 13241300x80000000000000002442539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\;u4Binary Data 12241200x80000000000000002442538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems 12241200x80000000000000002442537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency 12241200x80000000000000002442536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid 734700x80000000000000002442534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid 734700x80000000000000002442533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.3115 (rs1_release_1.190708-1703)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=012E1DA3DB7B8D5128E9DD440573E549,SHA256=6D87AC8C462BEA922F39C75AF8A9458D1FCC5DB1BBC22931AE233EBB2235C35DtrueMicrosoft WindowsValid 12241200x80000000000000002442532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x80000000000000002442531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 13241300x80000000000000002442530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 13241300x80000000000000002442529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ETagstd::wstring|"1XdtvwRgBt40FJxXJozf3bv0b7du6p3QKpaFXXBexnk=" 13241300x80000000000000002442528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\Expiresint64_t|1619124179 734700x80000000000000002442527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000002442526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=ED817FC4D5C18B04726F8EE7C89EFF39,SHA256=C6F13CEC53F3216FEC098ED30ED5F4F935FF897D40C463D130B71305911DF1F5trueMicrosoft CorporationValid 12241200x80000000000000002442523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002442500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002442499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D5A5E1E80B4B509591B79FC257D993,SHA256=89C766F746DB92EAE5CA3F3C023EDCFDE6469374020C93F694B625D8458C8856falsefalse - insufficient disk space 12241200x80000000000000002442498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency 12241200x80000000000000002442497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems 12241200x80000000000000002442496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\$s4 12241200x80000000000000002442495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.671{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 13241300x80000000000000002442494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeExcelBinary Data 13241300x80000000000000002442493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeExcelBinary Data 734700x80000000000000002442492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 11241100x80000000000000002442491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.654{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.654{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169A91FFE42990D9C3C836C552164C9,SHA256=BC947A25B1BDC0DB7681D4015E261A976ACCAE2E2F8AC8620840E39819120296falsefalse - insufficient disk space 11241100x80000000000000002442489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.602{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.602{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12025709FC7370195DD0DFC03394ADF,SHA256=39CEA81DB12F672BD653023EEE21DE717D58003AE011DD82932AF27DA9E0A6B8falsefalse - insufficient disk space 12241200x80000000000000002442487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000002442485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883trueMicrosoft WindowsValid 12241200x80000000000000002442484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002442458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136trueMicrosoft WindowsValid 12241200x80000000000000002442457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=384379949D62C818AF52A5DE919A62FD,SHA256=21F85FFD4DD9A61088194F9A416ED1496EE781033D1A23E69893EAC583C72B68trueMicrosoft WindowsValid 12241200x80000000000000002442433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000002442409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002442408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 12241200x80000000000000002442407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA 13241300x80000000000000002442406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data 734700x80000000000000002442405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002442404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 11241100x80000000000000002442403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 12241200x80000000000000002442402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000002442401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059falsefalse - insufficient disk space 12241200x80000000000000002442400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000002442399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E8A89FB5D2C6B17199F5CF6778899321,SHA256=B47374331AEEDCFFCDA9B5766999CAA054535D6620F7BF805F6F14408009EEE8falsefalse - insufficient disk space 734700x80000000000000002442397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000002442396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.172{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 12241200x80000000000000002442395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000002442394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid 12241200x80000000000000002442393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000002442370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-83AD-607D-0A00-00000000BB01}6204840C:\Windows\system32\services.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000002442368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.172{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000002442367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000002442345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002442343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 10341000x80000000000000002442340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002442338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002442337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002442336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002442335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000002442334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000002442332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000002442331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002442329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002442328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 13241300x80000000000000002442327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.555{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000002442326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 12241200x80000000000000002442325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000002442324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.170{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 12241200x80000000000000002442323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid 12241200x80000000000000002442318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002442300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002442299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002442298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000002442297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.553{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002442296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 12241200x80000000000000002442295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002442293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002442292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002442291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.551{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 13241300x80000000000000002442290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002442289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000002442288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.549{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 10341000x80000000000000002442287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002442284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.547{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 12241200x80000000000000002442283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.546{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.546{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000002442281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002442280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-83AD-607D-0A00-00000000BB01}6205264C:\Windows\system32\services.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002442279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.529{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 734700x80000000000000002442278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.164{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE16.0.13127.21506Microsoft ExcelMicrosoft OfficeMicrosoft CorporationExcel.exeMD5=E9DCD26B4206A2A38CFC5BA4A32D1BEE,SHA256=DB9091C29D475071EF9C0F5794C33733A979E6528B5714B52F330F57011EFCCDtrueMicrosoft CorporationValid 12241200x80000000000000002442277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.540{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000002442254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.540{21761711-83AE-607D-1400-00000000BB01}4801584C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.539{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 11241100x80000000000000002442252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.538{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.538{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1157AAFD5863DB0A67D4A639C7AD1CB7,SHA256=DBF62224B790BFC35B5E61B1ECA0F268202577FB5ECD0140C2E2483DF4E38557falsefalse - insufficient disk space 13241300x80000000000000002442250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 10341000x80000000000000002442249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.534{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.534{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002442246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002442245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002442244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002442243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000002442242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.532{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=E1BDF589E27B64D6637852872F4BA1D0,SHA256=C79B6A4AD264169C5B6F177083FD17C26832CD6A838DB697C7BC3C533A162733trueMicrosoft WindowsValid 734700x80000000000000002442241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.531{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x80000000000000002442240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002442239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 10341000x80000000000000002442238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.528{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.527{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKCR 10341000x80000000000000002442236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.527{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.525{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data 10341000x80000000000000002442231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.525{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.525{21761711-83AE-607D-1600-00000000BB01}11087588C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.524{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001c) 734700x80000000000000002442228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.521{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000002442227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.519{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002442226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.518{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002442225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.518{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x80000000000000002442224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.517{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000002442223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.515{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.514{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002442221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002442220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002442219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002442218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.511{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002442217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.511{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 12241200x80000000000000002442216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000002442215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000002442214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000002442213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000002442212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000002442211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 734700x80000000000000002442210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002442209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002442208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002442207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002442206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002442205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002442204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002442203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x80000000000000002442202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.506{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002442201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.505{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002442200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002442199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000002442198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 10341000x80000000000000002442197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.502{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002442196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.502{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002442195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.486{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000002442194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.497{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSAllCategories10 13241300x80000000000000002442193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1622 50,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000002442192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSTagIds151675359,37627806,38355400,17425365,17425358,19543137,19543138,23729931,22070208,23738454,25227928,24404955,23738456,24933761,25227929,23738460,24498243,40921166,592446983,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313,36577664,19200084,20312798,19200085,36274758,38929627,36274766,36274759,25228040,36274767,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,40920534,20833951,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,20039441,50890144,50890201,40921313,40921312,51680200,19952736,36487509,577828117,577828115,36487503,19200142,19252293,19200146,19685471,24404956,24470607,24498245,25036314,38040268,38040275,595939597 13241300x80000000000000002442191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSTagIds08758344,17134338,34968335,19677900,24131419,20039442,21378256,18409363,40920709,19200086,19972417,51655840,17634580,23979203,18375312,18658649,18658648,17183040,17698823,19677907,18948503,34968340,21378211,17650967,18658650,18674530,18637650,9319450,17126295,23738461,21313610,18948102,23738463,18409416,36517339,18948101,18400089,17634578,36761792,20979747,21378249,21030802,8447777,34968342,50890251,34968338,34968337,34968339,38013077,6366290,8448079,7690258,34968341,36274763,23738455,34968589,24406167,17182941,20027008,17182979,20027009,9176926,7690254,23205313,17622912,5850584,8263521,18208657,51655839,5850305,18405130,51679313,51679314,5850582,8750241,20770843,23459486,6170083,22623970,19182148,16859363,17182980,19933261,8988293,5850463,7649377,19539223,18400091,17064074,38062236,17334863,6166345,17182943,17182942,6636694,41976736,17182981,23738458,5850306,21378252,5850583,37048725,8430030,7218753,18384724,5850062,21378246,17922253,19182146,18948499,6636695,21313503,17182982,17311449,17650969,21313506,5850061,19200088,18400093,7692557,17146274,19790027,17650968,51196381,5850307,17650970,19198081,17650971,8254547,19182147,36487501,18208715,19182149,41736099,18405138,17698821,19200087,6137435,25036311,18970753,24466059,5850122,17698822,37365058,8988294,17698820,17846753,17106064,17846730,18400076,19805648,17846750,17885409,135022598,36507861,19261452,19261450,25036315,6366030,21014468,20998161,4859234,20998160,36283595,24498246,5810308,20998163,6301592,34198423,20998158,41484365,20730712,36517340,20998159,6366028,6366025,50405897,6366039,19200078,18400095,21014467,18405147,23738462,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,38293842,18401416,9242009,17102418,21313504,21313536,17376418,21313507,21378210,21378243,21378247,21378240,21378248,21378241,36577635,21378253,24470550,38293833,36274765,40921221,17311450,21378254,18633497,9037324,7116053,21378255,21378245,17610659,21561487,7214607,593797656,38040271,8750274,20489431,593797655,17339214,21587081,21587082,5850824,5850753,5898849,5898880,5898881,5898884,5898847,20312797,22929427,5898851,8701660,18970755,18917267,5898845,36487495,18917328,24933760,18917326,25228039,40920589,19230863,18949600,17578125,18917268,38062237,18917269,18970761,36292435,34198662,20492502,18917271,18917330,18970383,18949601,22595279,18711811,22131171,573899343,22131207,22131169,22131208,19805646,22853699,17110992,22853700,18948169,5587867,22929425,23414153,19933262,17962391,24466061,5850525,22853712,24991179,24991180,41158543,51196379,51196380,8263520,18638031,21313609,21313611,6647824,25036310,17573643,7868952,38293841,7690253,19200035,7463105,17106059,19200065,17106060,17106065,36487504,18400083,17106063,40920708,19744898,17962113,24511183,17184070,18948501,18474530,18625879,20312793,36274764,36487516,5804129,23979201,7202269,23978014,19693829,18679566,17045407,36274762,17184025,594650054,8709078,18400081,37308099,595174594,18208705,17184068,17618826,17334865,36487496,18400075,18400087,23738459,18405132,19200083,18405134,18405136,18405140,40921218,18405142,36577665,18405144,22058587,8709086,22074074,23643035,20484631,18970757,18970759,18970763,577828114,39965824,593359442,17110988,5601366,17962392,5601367,36274757,18441314,19693830,26019932,4289286,7649375,4317338,19437717,36274761,21030738,22349186,21034758,36495773,37332947,37889366,8996805,4859233,17969938,17445650,16815750,18208656,18208672,25036312,18208658,17445651,8709120,19223073,8709129,8750272,8709089,36487497,50890327,18621250,8709081,20789191,16920930,20248016,589685770,17134337,50890328,19200080,8750242,16843347,18428691,7214608,577828116,18647262,19978123,20026645,19978122,18384725,36487502,7459348,36487498,18384801,36487512,19744899,7690256,19732354,5888003,23979200,19732353,18375313,19252294,16860185,18384802,23729926,18633496,18647260,18647259,18647261,20026646,7657413,7649378,7657414,7463684,17842627,7966755,16815754,17311446,18970381,8747207,17311443,19153728,38040274,19200082,18970382,17045408,8430031,8254544 12241200x80000000000000002442190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor 13241300x80000000000000002442189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000002442188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000002442187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000002442186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000002442185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000002442184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000002442183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor 12241200x80000000000000002442182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe 12241200x80000000000000002442181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe 12241200x80000000000000002442180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor 12241200x80000000000000002442179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor 12241200x80000000000000002442178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000002442177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 734700x80000000000000002442176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.491{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x80000000000000002442175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.488{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 10341000x80000000000000002442174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 734700x80000000000000002442166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.484{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 12241200x80000000000000002442165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000002442161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 734700x80000000000000002442160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.481{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 734700x80000000000000002442159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.479{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 13241300x80000000000000002442158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.478{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000002442157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.477{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000002442156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.476{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x80000000000000002442155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.476{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000002442154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.475{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000002442153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.473{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x80000000000000002442152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.473{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 734700x80000000000000002442151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.472{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000002442150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 10341000x80000000000000002442149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x80000000000000002442147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x80000000000000002442146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x80000000000000002442145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.468{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002442144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.468{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x80000000000000002442143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.467{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 734700x80000000000000002442142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.466{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000002442141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.465{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 11241100x80000000000000002442140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.464{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{D7E81E19-F91E-4607-8B0B-E472D89D708C}2021-04-22 16:42:58.464 13241300x80000000000000002442139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.464{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 12241200x80000000000000002442138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\6712 12241200x80000000000000002442137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\6712\0 734700x80000000000000002442136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002442135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=15916ED65A44D47842A1CC3CE3CF4883,SHA256=7F00B84CE68E843425323FA7F60E49F4011A9A8AB42948E6CEB9B3A204268C53trueMicrosoft WindowsValid 13241300x80000000000000002442134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002442133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000002442132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.460{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002442131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.460{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000002442130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateConsentTime(Empty) 13241300x80000000000000002442129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000002442128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateDWORD (0x00000000) 13241300x80000000000000002442127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateConsentTime(Empty) 13241300x80000000000000002442126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000002442125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateDWORD (0x00000000) 13241300x80000000000000002442124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateConsentTime(Empty) 13241300x80000000000000002442123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007) 13241300x80000000000000002442122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateDWORD (0x00000000) 13241300x80000000000000002442121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateConsentTime(Empty) 13241300x80000000000000002442120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateSourceLocationDWORD (0x00000007) 13241300x80000000000000002442119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateDWORD (0x00000001) 13241300x80000000000000002442118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentConsentTime(Empty) 13241300x80000000000000002442117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002442116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000002442115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007) 13241300x80000000000000002442114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelDWORD (0x00000001) 13241300x80000000000000002442113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserCategoryDWORD (0x00000000) 12241200x80000000000000002442112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous 12241200x80000000000000002442111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache 734700x80000000000000002442110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.456{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid 734700x80000000000000002442109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid 734700x80000000000000002442108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid 734700x80000000000000002442107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000002442106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.453{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000002442105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.449{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 18141800x80000000000000002442104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744\wkssvcC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE 734700x80000000000000002442103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002442102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002442101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid 11241100x80000000000000002442100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\EXCEL\App_1619109778447426300_2FAC0A15-0B75-42C8-A76C-95AED4D76AD5.log2021-04-22 16:42:58.447 11241100x80000000000000002442099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\EXCEL\App_1619109778446970800_2FAC0A15-0B75-42C8-A76C-95AED4D76AD5.log2021-04-22 16:42:58.447 734700x80000000000000002442098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.444{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 11241100x80000000000000002442097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.430{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.430{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66E143A10B0FB3122C8AF15071050C5,SHA256=5B5C87155EE720CE9A0D3ADD6FE57E55FAAE2B6A338D480C737BF5EF316150DAfalsefalse - insufficient disk space 734700x80000000000000002442095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.422{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000002442094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid 10341000x80000000000000002442093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.420{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002442091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.419{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid 734700x80000000000000002442090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.417{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000002442089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.408{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5CtrueMicrosoft WindowsValid 11241100x80000000000000002442088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.401{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.400{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1628BD0D21AF1CCA5CC33F23A4EDD6CE,SHA256=D95C5EE3BC3A3B98079D0B3BBB5FB92E211B56BC564208C712D9DD4519E528F1falsefalse - insufficient disk space 734700x80000000000000002442086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.397{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000002442085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002442082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.394{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002442081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 13241300x80000000000000002442080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000000) 13241300x80000000000000002442079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000000) 13241300x80000000000000002442078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\$s4Binary Data 12241200x80000000000000002442077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems 12241200x80000000000000002442076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency 734700x80000000000000002442075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 734700x80000000000000002442074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000002442073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000002442070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002442069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-83AE-607D-1600-00000000BB01}11085200C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002442067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002442066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000002442065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{2FAC0A15-0B75-42C8-A76C-95AED4D76AD5} - OProcSessId.dat2021-04-22 16:42:58.274 13241300x80000000000000002442064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000002442063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000002442062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.272{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000002442061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.271{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msi.dll5.0.14393.4350Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=DEC633243BDCEAD0E3BDDDAFBC933F02,SHA256=FC9AFA9CDD6ECC1194C1532F37AF6FEE9E888DC5D2056BCE0C59538A389FC9DEtrueMicrosoft WindowsValid 13241300x80000000000000002442060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.270{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 12241200x80000000000000002442059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.270{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744 734700x80000000000000002442058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.269{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000002442057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\1Binary Data 734700x80000000000000002442056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000002442055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000002442054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=07AC00D96DD2A96C07386BAB1BA8BD63,SHA256=B0A63D4055AFBAAD131972DD9E70E404F2116DB5C09702E8CFC559B468F8CC66trueMicrosoft CorporationValid 734700x80000000000000002442053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000002442052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002442051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000002442050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000002442049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002442048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=8A534D2BDBC58D598A4C5624D016AB73,SHA256=A98B2C3A5DD863A639B2ABA879911B0DC1FFB51980F4E3831332CB40CA6B7324trueMicrosoft CorporationValid 12241200x80000000000000002442047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000002442046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000002442045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000002442044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE 10341000x80000000000000002442043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.220{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.205{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000002442041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.205{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 13241300x80000000000000002442040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000002442039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data 13241300x80000000000000002442038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\2Binary Data 13241300x80000000000000002442037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\20Binary Data 11241100x80000000000000002442036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\5952598816096256.lnk2021-04-22 16:42:58.189 12241200x80000000000000002442035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder 12241200x80000000000000002442034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x80000000000000002442033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002442032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm\MRUListExBinary Data 13241300x80000000000000002442031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm\2Binary Data 13241300x80000000000000002442030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\19Binary Data 11241100x80000000000000002442029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\document-752139500.xlsm.lnk2021-04-22 16:42:58.189 12241200x80000000000000002442028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm 12241200x80000000000000002442027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000002442026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000002442025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000} 12241200x80000000000000002442024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList 12241200x80000000000000002442023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000002442022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000002442021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 12241200x80000000000000002442020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids 12241200x80000000000000002442019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000002442018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000} 10341000x80000000000000002442017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office\Common 734700x80000000000000002442015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000002442014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000002442013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data 13241300x80000000000000002442012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000002442011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\DisplayNamedocument-752139500.xlsm 13241300x80000000000000002442010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PathC:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm 13241300x80000000000000002442009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000) 12241200x80000000000000002442008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973} 12241200x80000000000000002442007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems 734700x80000000000000002442006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 12241200x80000000000000002442005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 734700x80000000000000002442004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 12241200x80000000000000002442003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000002442002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002442001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002442000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002441999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x80000000000000002441998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000002441997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 13241300x80000000000000002441996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x8d0c589d) 12241200x80000000000000002441995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 734700x80000000000000002441994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=A1D30EF2114E18E26E2BB96555BE81BF,SHA256=F87819AE8C6F7C90D3237A1ABB9809E8CBA9DCD0C80AC3F0969A5E68EF652CA4trueMicrosoft CorporationValid 734700x80000000000000002441993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002441992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=23105A395B807D9335219958B4D0CEC1,SHA256=61832990E364DCA5BFA2C61D930F00ACAAE6D1AAA3130392403455AE9A1125A5trueMicrosoft CorporationValid 734700x80000000000000002441991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=9040ED0FDF4CE7558CBFFB73D4C17761,SHA256=6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774trueMicrosoft CorporationValid 734700x80000000000000002441990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 13241300x80000000000000002441989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LaunchCountDWORD (0x00000005) 13241300x80000000000000002441988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LastAccessedTimeQWORD (0x01d73796-0x8d0adb40) 734700x80000000000000002441987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 734700x80000000000000002441986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 12241200x80000000000000002441985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000002441984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002441983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002441982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002441981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002441980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002441979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002441978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000002441977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000002441976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=987063E093C30254D80F6B8C2F4A5EEF,SHA256=BBD8531183283BC434943EF126723E75AC7ED7DE9DC87260C47C66B9615F4C11trueMicrosoft CorporationValid 734700x80000000000000002441975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002441974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002441973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002441972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002441971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll5.2.166.0AppVIsvSubsystems64Microsoft Application Virtualization (App-V)Microsoft CorporationAppVIsvSubsystems64.dllMD5=645BAECF733FD3E637C358C502FDAE1A,SHA256=BD56679E80DF33BC3F9B3B6435E5CC06DB953DF18EB4CF2FD13C094975314714trueMicrosoft CorporationValid 734700x80000000000000002441970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 12241200x80000000000000002441969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList 12241200x80000000000000002441968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000002441967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000002441966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 12241200x80000000000000002441965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids 13241300x80000000000000002441964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.167{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList\MRULista 12241200x80000000000000002441963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.167{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList 13241300x80000000000000002441962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.166{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002441961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LaunchCountDWORD (0x00000005) 13241300x80000000000000002441960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LastAccessedTimeQWORD (0x01d73796-0x8d0adb40) 734700x80000000000000002441959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.165{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x80000000000000002441958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000002441957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.165{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000002441956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002441955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\RKPRY.RKRBinary Data 12241200x80000000000000002441954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.164{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002441953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.164{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 12241200x80000000000000002441952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.164{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000002441951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.163{21761711-83AE-607D-1200-00000000BB01}304684C:\Windows\System32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002441950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.163{21761711-83AE-607D-1200-00000000BB01}304684C:\Windows\System32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002441949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.161{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002441948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.161{21761711-84C9-607D-F200-00000000BB01}37842660C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002441947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.686{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE16.0.13127.21506Microsoft ExcelMicrosoft OfficeMicrosoft CorporationExcel.exe"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm"C:\Users\Administrator\Desktop\5952598816096256\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=E9DCD26B4206A2A38CFC5BA4A32D1BEE,SHA256=DB9091C29D475071EF9C0F5794C33733A979E6528B5714B52F330F57011EFCCD{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x80000000000000001527574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.125{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49860- 354300x80000000000000001527573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.085{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64211- 23542300x80000000000000001527572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.689{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4D6EC05AF586312FA962EA73DCCEC5,SHA256=A11CF6544738B1B4099A1501320EE8DBCD66FBEEA61FCABE2A57D86A4E6B4E8F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002443822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.188{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 12241200x80000000000000002443819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.157{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\D3DCompiler_47.dll10.0.14393.3930 (rs1_release.200901-1914)Direct3D HLSL CompilerMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=6C441F5AD6724D68B27D9928C6C1170D,SHA256=EEA0AE3BDCEF59AF62F471E90C489044B8DB55BFF6377231E002A70AB1F8CF73trueMicrosoft WindowsValid 12241200x80000000000000002443792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000002443770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.589{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.589{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6864E9ABD0D9C6D4877D0F9A139C5E0A,SHA256=FB320FF7D14C9FBBF403581D37D92673E3A7C22180BC53CF420B0887CD8EDE50falsefalse - insufficient disk space 12241200x80000000000000002443768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 12241200x80000000000000002443762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 12241200x80000000000000002443736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 12241200x80000000000000002443708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\hlink.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Microsoft Office 2000 componentMicrosoft® Windows® Operating SystemMicrosoft Corporationhlink.dllMD5=FD7A5F4DF14E2D70CE268E22C5A56650,SHA256=E159200E7E4F627FDCF37230F12412B45C18FB1D3EFB1D3F06B4FE1BAA205351trueMicrosoft WindowsValid 12241200x80000000000000002443679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000001527571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.577{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.577{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002443664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002443661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.556{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.556{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB04A64C71154B59B9C03EC042CEC87C,SHA256=3B431C75D26BE623281CE35EBD91D1DF22C6B3AA66192FD4BE6937384A52C1A3falsefalse - insufficient disk space 12241200x80000000000000002443659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.556{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.553{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.553{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.851{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 12241200x80000000000000002443650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.834{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13127.20164Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=1BAB8E8FA116706ECB69AEAEA58277CB,SHA256=C7F3FE053C22DB4CE9F35B15F21A128DAEAED296B75D40B68D1F60E341F81E9EtrueMicrosoft CorporationValid 12241200x80000000000000002443628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 12241200x80000000000000002443602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid 12241200x80000000000000002443575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid 12241200x80000000000000002443548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159AtrueMicrosoft WindowsValid 12241200x80000000000000002443521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002443500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13127.21210Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=668097B2D740561081C0F7A9495457D9,SHA256=7DE7CC50306AD0F6FE3406537092C9F8DC5BBB0FF16E30A55BE3694895FFD293trueMicrosoft CorporationValid 12241200x80000000000000002443499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 12241200x80000000000000002443471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 12241200x80000000000000002443444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.587{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 12241200x80000000000000002443421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid 12241200x80000000000000002443395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.456{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.456{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002443374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.456{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.456{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E3AEC4E13F052993D46236F592DC8,SHA256=F8BC2073EAB9B20AFE8EEE96A3845392F043D8E52CEE9CE652A5E617E89864CBfalsefalse - insufficient disk space 12241200x80000000000000002443372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.454{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002443369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13127.21452Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=E5F9D41891CD22C534DCAD478F1545E6,SHA256=5F3D7CC47AF5CD0AFF7E50B41DA24E787ACF70DB163A2678DE648549627C2016trueMicrosoft CorporationValid 12241200x80000000000000002443368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.553{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid 12241200x80000000000000002443338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002443320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.357{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.357{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832AD8F882031A84CFD7D6C85F8CFF3,SHA256=01D6AD0FA60787EAE5BD6E2EA7E359A98AED8BA6F0A5019C2F67EDB2B13D6630falsefalse - insufficient disk space 12241200x80000000000000002443318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.354{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002443308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7trueMicrosoft WindowsValid 12241200x80000000000000002443307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.539{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 12241200x80000000000000002443288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000002443266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.535{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid 12241200x80000000000000002443265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000002443242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.304{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.304{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBDD502C7AEDCE67A6496F3F5443F25,SHA256=E88635865F98BB6BBCE388EC02D2F5F79927E0D111B8DC32FC356430F8CCC359falsefalse - insufficient disk space 12241200x80000000000000002443240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002443238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.535{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid 12241200x80000000000000002443237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 12241200x80000000000000002443207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.529{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x80000000000000002443181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 12241200x80000000000000002443153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 12241200x80000000000000002443126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.503{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 12241200x80000000000000002443100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.255{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.254{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.474{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid 12241200x80000000000000002443073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid 12241200x80000000000000002443069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.457{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13127.21452RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=5B796D159DCE1E87B9D7FFBD8A21509F,SHA256=ABC949A0289DCFD93A699C460D1783D90194C107925594AE3929068C3E2BA0EAtrueMicrosoft CorporationValid 12241200x80000000000000002443043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000002443024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Place MRU\Item 2[F00000000][T01D736E37B596050][O00000000]*C:\Users\Administrator\Desktop\ 13241300x80000000000000002443023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Place MRU\Item 1[F00000000][T01D737968DABFD40][O00000000]*C:\Users\Administrator\Desktop\5952598816096256\ 13241300x80000000000000002443022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 4[F00000000][T01D73627FB4A3D50][O00000000]*C:\Users\Administrator\Desktop\details.xls 13241300x80000000000000002443021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 3[F00000000][T01D736C937B0D0A0][O00000000]*C:\Users\Administrator\Desktop\cs.xlsm 13241300x80000000000000002443020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 2[F00000000][T01D736E37B596050][O00000000]*C:\Users\Administrator\Desktop\d5fc0f0e4c95364441a7279f14b5d30add545cd2f9b4c11447bcbd0de5e830d4.xlsm 13241300x80000000000000002443019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 1[F00000000][T01D737968DABFD40][O00000000]*C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm 12241200x80000000000000002443018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002443015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.13127.21210Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=075F94DBD44477623CA2629F67A28C63,SHA256=7E32AD6955265A798568940B30EEE08891972809507272665314555D06632E83trueMicrosoft CorporationValid 12241200x80000000000000002443014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002442993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.204{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.204{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE30D99520C460717F441D745A2A640,SHA256=273AAB29ADDAD21B898B1395C6421325D3406B80402AC9D9959DF860CEC157B2falsefalse - insufficient disk space 12241200x80000000000000002442991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002442988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.443{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68trueMicrosoft WindowsValid 12241200x80000000000000002442987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.188{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000002442965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.188{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+61c0d|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+ab025|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+5deac|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e279|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000002442963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBAC73DE9072EE017282D3B992793D06,SHA256=18F3B2D824EED167FB312E003C16029B1476C0539A9F6EE6C2603D0ED9E3D133falsefalse - insufficient disk space 11241100x80000000000000002442962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000002442961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4CF08D51E933FD7A4EE468F4F35B113,SHA256=93C9A62708576B95E39B16121FF1B49076B151770F0E7D370879276BE198F161falsefalse - insufficient disk space 12241200x80000000000000002442960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dsreg.dll10.0.14393.4225 (rs1_release.210127-1811)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=A9077C17AA04BDD1DBEDD357767E704F,SHA256=E9599D4BA5469F080CEEE8CEFB2DF979B69DA3349EAD3B2CCF12B15D15955E60trueMicrosoft WindowsValid 12241200x80000000000000002442953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.420{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 12241200x80000000000000002442926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002442904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.418{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 12241200x80000000000000002442903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.156{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000002442881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.155{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.155{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70BA583FAB70A2ED0B7076DEF9AA334F,SHA256=56EA39B722216C65ECBE531B527BFC36ADF7C13C69A2B4180A07EAADB8A342FFfalsefalse - insufficient disk space 12241200x80000000000000002442879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.152{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.398{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid 12241200x80000000000000002442871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002442847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.394{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 12241200x80000000000000002442846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002442822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.372{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089trueMicrosoft WindowsValid 12241200x80000000000000002442821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002442801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.104{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.104{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF247E540B979C0377CB2EE601319D9,SHA256=0353CF7531E447C1F6BFB5FDEBB55F5B929F6A9D3E39C8CE22EBFE03CC6AC300falsefalse - insufficient disk space 10341000x80000000000000002442799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+61c0d|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+ab025|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+5deac|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e279|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002442798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 13241300x80000000000000002442797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data 12241200x80000000000000002442796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000002442795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002442791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x80000000000000002442790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x80000000000000002442787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002442768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002442765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000002442764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002442762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000002442761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002442742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=4FB7C52B5A56E2A4A47B8A9D0B94C274,SHA256=31D782B41576C93F0D440D2797EEA97C2C452E27C2119220DB3B9E37378D1AF4trueMicrosoft CorporationValid 12241200x80000000000000002442741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002442740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002442739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002442738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002442736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002442722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002442721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002442720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002442719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000002442718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002442717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.053{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359CB2090B6B7AA57943F301EAA12F58,SHA256=11D86E7768F0FE12928364EA1B5FC497E08A71B27947BE31C28C763D6C92C2ACfalsefalse - insufficient disk space 11241100x80000000000000002442716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002442715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3CFD24A96A4EC33D8B85FF300683AF6C,SHA256=9D2C11A0D17F13C22397485D9DC231B1E7DB8A4F617FBA1DDDF5E78AFE30D629falsefalse - insufficient disk space 12241200x80000000000000002442714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000002442713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000} 12241200x80000000000000002442712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x80000000000000002442711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000} 10341000x80000000000000002442710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002442707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002442703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002442702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNK2021-04-22 16:42:58.988 23542300x80000000000000002442701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNKMD5=A80FAA827A40AC1510AC3D80C782EFA9,SHA256=064BEC24ABD6A625A80C4B52ABEFA149A8FE6C025126CCB5B5869876BCD5D54Ffalsefalse - insufficient disk space 23542300x80000000000000002442700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\d5fc0f0e4c95364441a7279f14b5d30add545cd2f9b4c11447bcbd0de5e830d4.xlsm.LNKMD5=A2805C655AE4B1059A1CA9727BC43F52,SHA256=A1A23B6D57EBC104522416887339213343923A1B00E150641C86892945168691falsefalse - insufficient disk space 10341000x80000000000000002442699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002442696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002442692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002442690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002442689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002442688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.003{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000002442687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data 13241300x80000000000000002442686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000002442685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000) 12241200x80000000000000002442684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems 13241300x80000000000000002442683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x8d88a3d9) 12241200x80000000000000002442682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000002442681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001527579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.862{761B69BB-818C-607D-0D00-00000000BA01}9045276C:\Windows\system32\svchost.exe{761B69BB-84D2-607D-F802-00000000BA01}1484C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.698{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C272B3E54F49858AB2EDA0B06BCD899,SHA256=8842747AE91622619839222ADAA3BEEAAB5947D4D66FAA9B8AB10D3DF8E76EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002443830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.839{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002443829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.692{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002443828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.692{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C52611751EEABBF136FC8EE884B157E,SHA256=0E54F3659A6945BCDB62080E6232858E7E878BFD86714F522F9D7FB7917DC07Afalsefalse - insufficient disk space 354300x80000000000000002443827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.023{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49261-false173.222.228.212a173-222-228-212.deploy.static.akamaitechnologies.com443https 354300x80000000000000002443826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.980{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49260-false52.113.194.132-443https 354300x80000000000000002443825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.697{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49259-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 22542200x80000000000000002443824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.376{21761711-A791-6081-7E84-00000000BB01}2744support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:173.222.228.212;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 22542200x80000000000000002443823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.328{21761711-A791-6081-7E84-00000000BB01}2744ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 10341000x80000000000000001527577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.578{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.578{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.107{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF32B7503A2E36BE0F8773D3D5F731C3,SHA256=BE180D12B73B69270DDC6F71607483C585B5557C8CB1D44EAB5584D09ACDADCA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002444042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.911{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002444041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.911{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 11241100x80000000000000002444040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.659{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.659{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55309B14A9F2DA2A304404EA7C47CD1C,SHA256=64C1622ED388D256CA2175A3A4B22D248551ADFEA7325336D1710781FB71F1C0falsefalse - insufficient disk space 10341000x80000000000000001527601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.865{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001527593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.772{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1051-false10.0.1.12-8000- 23542300x80000000000000001527592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.712{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FA823D9DC3A790912B40A89E7A71C6,SHA256=6372A73A604FD7F940727332950FEA3796E006BD90E150B89217DF22AFE37776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.579{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.579{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.322{761B69BB-A795-6081-1083-00000000BA01}67361364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.185{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001527580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E1F34B3B8B532BBB995786CA37E0F7,SHA256=4E975024B5D76C5F4675BEF03C10AAC184A449F666AC7AA391AB5F798585A6BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.309{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.309{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5251B9F939492EBE8F47AB5146B94836,SHA256=D5A2B592BE7638E88559DC7C9FC12CC7CAD4E30DA5399543D64EB82737414BCFfalsefalse - insufficient disk space 12241200x80000000000000002444036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002444031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.259{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000002444030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002444011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002444008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000002444007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 12241200x80000000000000002443981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000002443955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x80000000000000002443930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000002443912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x80000000000000002443911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000002443910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x80000000000000002443909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x80000000000000002443908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x80000000000000002443907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x80000000000000002443906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002443905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000002443904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002443901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002443899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 12241200x80000000000000002443898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002443894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x80000000000000002443893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002443888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x80000000000000002443887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002443878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.258{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9CtrueMicrosoft WindowsValid 10341000x80000000000000002443877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002443876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002443875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002443874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000002443873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002443872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002443871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002443870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002443869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x80000000000000002443868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002443866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002443852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002443851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002443850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002443849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002443848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 10341000x80000000000000002443847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AD-607D-0C00-00000000BB01}7246740C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002443846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002443845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002443844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002443843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002443842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002443841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 10341000x80000000000000002443840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002443839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002443838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002443837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002443836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid 10341000x80000000000000002443835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002443834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AD-607D-0C00-00000000BB01}7246740C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002443833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.230{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 12241200x80000000000000002443832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.209{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000002443831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.209{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 11241100x80000000000000002444055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.697{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.697{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2842BD9FE58844D6C948E4B607A0C82,SHA256=DA8426838AD172C32947EB2DC1276C321DB412336BDCF91B21949B36F5407C71falsefalse - insufficient disk space 23542300x80000000000000001527614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.721{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49E1AEEA436C9497B6B41FB6B634619,SHA256=0AAAE1E04AC550E317F42E0614F0CACD204804E97D0FAF47E30481C32F0E1FA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.262{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.262{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922A05CA381506F4DF88E2034B3A70D6,SHA256=A44CC070217AE5C2427F150119D6B3CB44D25D0F352CD0AAF878DA6AC72B1E9Dfalsefalse - insufficient disk space 11241100x80000000000000002444051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002444050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A6F22B82574D2126947A61D127A15771,SHA256=9AC297926DB32442017957D491FD402A67E9BC59F2EC3B1C6002D5C5E45198DCfalsefalse - insufficient disk space 11241100x80000000000000002444049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002444048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=76EE65AAAA6B1CEBC7978EF65289E58E,SHA256=DF1DDB5D080BC2E4BD0D9BA0FBE8236F87D48733278246F8ED0DAC82D170C5EEfalsefalse - insufficient disk space 13241300x80000000000000002444047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.080{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001905F4\VirtualDesktopBinary Data 12241200x80000000000000002444046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:02.080{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001905F4 13241300x80000000000000002444045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002444044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000002444043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.676{761B69BB-A796-6081-1283-00000000BA01}9763520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.580{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.580{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.531{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001527602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44CB0DB0919605A0195002ABE32BFE1,SHA256=61EB25A110A43E8F15DB54E50D4BB4845D62D11234CD410E72642EEC83ACBAB7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.985{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3CB7099F3F3BE6FC6E0116AE50E002F02021-04-22 16:43:03.985 11241100x80000000000000002444081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.985{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3CB7099F3F3BE6FC6E0116AE50E002F02021-04-22 16:43:03.985 734700x80000000000000002444080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.931{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x80000000000000002444079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.916{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 13241300x80000000000000002444078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\BlobBinary Data 12241200x80000000000000002444077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 12241200x80000000000000002444076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 13241300x80000000000000002444075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.746{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000002) 13241300x80000000000000002444074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.731{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000001) 13241300x80000000000000002444073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.731{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000001) 11241100x80000000000000002444072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.731{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.731{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E332196F49A77634D34166D1BADD94E3,SHA256=7B2E1F91B741DBBB029F86E2ECE31F3038B94FA69F1DF8293088CB562FF616BBfalsefalse - insufficient disk space 23542300x80000000000000001527618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.727{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704200A54C03B2E6069ED51767E7D991,SHA256=2AC585B7D9BAD00BB13E4000E4B80317FAD2A28634B6010498B9EBD34D875AA6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002444070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000002444069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000002444068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002444067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002444066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000002444065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000002444064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000002444063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000002444062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000002444061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000002444060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000002444059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000002444058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000002444057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 734700x80000000000000002444056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.483{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid 10341000x80000000000000001527617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.274{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5134DAAAC04B89609BD1D6881F5D4A3F,SHA256=E600D4DC7AC3B40F1163FFFBE8A9B9FB4A651A442A995FBEDB2BC902BE859A09,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A1C9B4AB3AF74DBD9D69789AC131A9,SHA256=FA0F06A1E2690DF9520E8A757F023AD7A54C0D9F590ADB90AE1BC8DFA87C2056falsefalse - insufficient disk space 11241100x80000000000000002444089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9901826BACD2D035206F19D36ED49E,SHA256=14F4D7D4B0C9C3B133F0F44E41C1E7552B4B24BC403804F4EB9B298D0C43B575falsefalse - insufficient disk space 23542300x80000000000000001527622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49CBC7FB41EF943C2D172D7B15D8454,SHA256=C863E8F9E18F5CBF0A78D8CC3239178E991D47FA8085D53B2F4032DE977FAAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.742{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0F70C308AC8B32866C90A8DC75C995,SHA256=305C7D940DDF462DBBEA909C9CFC18691232A4744CAB377AE3C9B74000DECB13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.586{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DAAF2360741DD059D38484A5BCFFB0E12021-04-22 16:43:04.586 11241100x80000000000000002444086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DAAF2360741DD059D38484A5BCFFB0E12021-04-22 16:43:04.571 10341000x80000000000000002444085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-A62F-6081-4F84-00000000BB01}5880C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-A62F-6081-4F84-00000000BB01}5880C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10C13F86BFA025AEBED7D9DBEC7CD9D,SHA256=4341716687F893A1635EDBE73B66FA2E6B7A44B6A009E342BFDF30C224BC3EAF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002444097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.627{21761711-A791-6081-7E84-00000000BB01}2744abpandh.com0::ffff:162.241.225.246;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 11241100x80000000000000002444096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.751{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.751{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BE5778025A64007A9091B5049A37CB,SHA256=0E13583CEF12B6C47A37290C49F21D1DB17BA97A4160CBA27E9562009892EFC5falsefalse - insufficient disk space 354300x80000000000000002444094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.693{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49264-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000002444093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.438{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49263-false184.25.56.139a184-25-56-139.deploy.static.akamaitechnologies.com80http 354300x80000000000000002444092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.337{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49262-false162.241.225.246box5304.bluehost.com443https 10341000x80000000000000001527625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.582{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.582{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.508{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1052-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 22542200x80000000000000002444355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.449{21761711-83AE-607D-1D00-00000000BB01}1960246.225.241.162.in-addr.arpa.0type: 12 box5304.bluehost.com;C:\Windows\sysmon64.exe 22542200x80000000000000002444354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.101{21761711-A791-6081-7E84-00000000BB01}2744kamalandcompany.com0::ffff:5.100.155.169;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 22542200x80000000000000002444353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.777{21761711-A791-6081-7E84-00000000BB01}2744r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:184.25.56.139;::ffff:184.25.56.131;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 11241100x80000000000000002444352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F210CFD6033A25DDE919308D446490D8,SHA256=D6122C8F8CC450DC490CE34D52D803AE9C666DA028A6ED9DC6EF79EC79EA8064falsefalse - insufficient disk space 23542300x80000000000000001527633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D744C32742B93228BC4168892AF428A9,SHA256=0184470D9A9914BD91AF59692FEC43D552EAD555AB6ACE2619DCF5CE4D792D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.583{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.583{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.549{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D226DAEF46F5C4D0B1C61A7443098FE,SHA256=AC3103E2D3B0AA1CEF463A00B46470AEE5A27C831B94314F01D188772C7781CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.859{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50546- 354300x80000000000000001527628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.535{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60056- 354300x80000000000000001527627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.353{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60988- 354300x80000000000000002444350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.882{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49265-false5.100.155.1695.100.155-169.publicdomainregistry.com443https 11241100x80000000000000002444349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.538{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.538{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFF1B4F1FDF8744711CC72676E07808B,SHA256=2746F9CA25151A5E406C21960FBB7EDFDE34CCE0F3907770B67A7671B70273BBfalsefalse - insufficient disk space 534500x80000000000000002444347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.290{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exe 11241100x80000000000000002444346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.237{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.237{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9693377404E29ADD18E58D8C3428F74,SHA256=5B152348C3660A753F86D93FF77A05A7C0F03C70E19581CE6473F60E4DE217DAfalsefalse - insufficient disk space 11241100x80000000000000002444344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.206{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.206{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9B4A8D68E3D079DB3EA90C293A5211,SHA256=C49EB7CF4B9E44B23AE5AD81235009EFD7743107230F7417C9D3EC417FE4F731falsefalse - insufficient disk space 12241200x80000000000000002444342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002444339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.121{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid 12241200x80000000000000002444338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.121{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x80000000000000002444316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002444315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000002444314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Desktop/5952598816096256/document-752139500.xlsmBinary Data 10341000x80000000000000002444313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002444311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002444310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438\VirtualDesktopBinary Data 10341000x80000000000000002444305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438 10341000x80000000000000002444303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002444299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 12241200x80000000000000002444294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000002444282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 12241200x80000000000000002444281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 12241200x80000000000000002444279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000002444271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 12241200x80000000000000002444270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002444266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000002444263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 12241200x80000000000000002444261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002444237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid 734700x80000000000000002444232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002444231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid 10341000x80000000000000002444222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+441c9|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d253|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e46713|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e4e7af|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11956d9|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+119e5fc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+4f8d5|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f622c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f87fb|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+150f0dc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+15163bc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2cc8|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2338|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11a73b|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e097a|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+2ffc3c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+3009f1|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+20ca4b4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de4d3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de840 154100x80000000000000002444220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.085{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32 ..\oepddl.igk2,DllRegisterServerC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm" 12241200x80000000000000002444219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000002444218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002444217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000002444216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002444213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002444212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x80000000000000002444207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000002444201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000002444199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x80000000000000002444197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000002444193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4\VirtualDesktopBinary Data 12241200x80000000000000002444192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4 12241200x80000000000000002444191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000002444182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000002444180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002444177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000002444170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.071{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000002444169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002444167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.071{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002444166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000002444163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid 12241200x80000000000000002444162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000002444141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 12241200x80000000000000002444139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000002444137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 12241200x80000000000000002444136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000002444127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid 12241200x80000000000000002444125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x80000000000000002444117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002444110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000002444103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002444102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 10341000x80000000000000002444100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+441c9|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d253|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e46713|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e4e7af|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11956d9|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+119e5fc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+4f8d5|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f622c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f87fb|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+150f0dc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+15163bc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2cc8|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2338|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11a73b|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e097a|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+2ffc3c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+3009f1|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+20ca4b4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de4d3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de840 154100x80000000000000002444098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.056{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32 ..\oepddl.igk1,DllRegisterServerC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm" 22542200x80000000000000002444360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.532{21761711-83AE-607D-1D00-00000000BB01}1960139.56.25.184.in-addr.arpa.0type: 12 a184-25-56-139.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 11241100x80000000000000002444359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.794{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.794{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303D192FD24A70FEE7ACEBC837CDE8B4,SHA256=F694CC8A477F9F39191F36067C265ECB3F7BBC7B6192B028C76420F2F022EEB8falsefalse - insufficient disk space 23542300x80000000000000001527638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026CD7B6FA3F495EF8DEEF62BA6F4D31,SHA256=A2176781E24F26C217031842A3409DE3C27B859885BD5764C17A5B20FE9C2572,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=358D57C7F489D4439F03C4DE99BFE602,SHA256=5CFA868470A9ED00DF2DD6D86312911EF2D16EA2D45F0352B040BF6F4D8248FCfalsefalse - insufficient disk space 10341000x80000000000000001527637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.133{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60319- 354300x80000000000000001527634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.133{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64544- 22542200x80000000000000002444403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.402{21761711-83AE-607D-1D00-00000000BB01}1960169.155.100.5.in-addr.arpa.0type: 12 5.100.155-169.publicdomainregistry.com;C:\Windows\sysmon64.exe 354300x80000000000000002444402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.982{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49266-false23.54.49.175a23-54-49-175.deploy.static.akamaitechnologies.com443https 23542300x80000000000000001527698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.883{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAE0C56629471D4F9C7130EA9118C87,SHA256=55630AA54DEF87EF0623D7AB45500AE94C4805C2C44C0B4395F0EC445026CD5F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002444401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000002444400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data 13241300x80000000000000002444399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000002444398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000) 12241200x80000000000000002444397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems 13241300x80000000000000002444396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x934c457b) 12241200x80000000000000002444395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000002444394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000002444393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000002444392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000002444391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x80000000000000002444390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x80000000000000002444389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83fc.TMPMD5=97C6F6C6415FD0AE91EB14429A4620D9,SHA256=95BBB488C9E1F54C1D20D018FCF1C63AD7A66F1D76F12BC19CAFF19584D94905falsefalse - insufficient disk space 11241100x80000000000000002444388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83fc.TMP2021-04-22 16:43:08.643 254200x80000000000000002444387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUMZHWBLKOR5E3R1IQ1Q.temp2021-04-20 20:31:10.9152021-04-22 16:43:08.643 11241100x80000000000000002444386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUMZHWBLKOR5E3R1IQ1Q.temp2021-04-22 16:43:08.643 13241300x80000000000000002444385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.627{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids\Excel.Sheet.8Binary Data 13241300x80000000000000002444384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.627{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 13241300x80000000000000002444383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.612{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 13241300x80000000000000002444382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 12241200x80000000000000002444381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000002444380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data 13241300x80000000000000002444379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000002444378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000) 12241200x80000000000000002444377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems 12241200x80000000000000002444376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000002444375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x9342bc00) 12241200x80000000000000002444374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000002444373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000002444372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000002444371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f 10341000x80000000000000002444370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 23542300x80000000000000002444369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83cd.TMPMD5=1B6C4DAB92A1103036DBB83944490502,SHA256=261387FAB44A3AD1034D3AE78E86670F6973884E193B005365376202621E2A94falsefalse - insufficient disk space 11241100x80000000000000002444368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83cd.TMP2021-04-22 16:43:08.596 734700x80000000000000002444367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000002444366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COV53OS86SBMQBH8RXJ0.temp2021-04-20 20:31:10.9152021-04-22 16:43:08.580 11241100x80000000000000002444365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.580{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COV53OS86SBMQBH8RXJ0.temp2021-04-22 16:43:08.580 13241300x80000000000000002444364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.580{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids\Excel.Sheet.8Binary Data 13241300x80000000000000002444363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.558{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 13241300x80000000000000002444362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.543{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data 734700x80000000000000002444361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.543{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 10341000x80000000000000001527697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.542{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=97A6F4A4475A2DA6F728631E5F3FB8B9,SHA256=A2CE586BF4ED2629C5F22B14F9949F23FD6D2FE04E392F90CAC913E96A774B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.536{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=FA0C76F30F4ED963BA059B170EAC19C3,SHA256=9EB8FAE3BB246F4C8DA9AA6B59EF048D42226B1BCD819D2F585B797D2A604E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=C92F64B2A394E6251DA70B2795F9E83E,SHA256=84B2C87243255A5A5FFFD74BBE12A01F1E31EB0739E52CBF828F8F50CB71539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=D554B9228F49B8C0CFE7340CD29CC50B,SHA256=B25EC46DFA2F231C792651EADFE59278FBC354C96866173491ADD7971AE73FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=C68BBE592F2AD1D8241EB71153155CD7,SHA256=7C9B37D95D158912BFDA5245A5F2F5EE849DC5FC706B2651E69DF35F900374B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.533{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=C4A676C01BFA971F03B1746047587CEC,SHA256=3B3B09FC8B7EE90DB0CA505A724046A0B7E5908931EDFF049FA00EBFF3408475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.533{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=193A2115207353530EA62B086AB04AE7,SHA256=A1ABC8374A7C4F55E2A5453BFE56A5075556A0450563926E8BDAEB62E47164FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.532{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=B67AAB7AA3AF3C5E626EC0C904397D91,SHA256=0A36A299029BEB2433559DFE4000AF249E4930003C607C61E3F124F1561D5793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.531{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=3EC11392D120EFF88EA429D945305A23,SHA256=00A881F20202579C53597EF52C315AEF2A75B23DEAD91B21FAD0F2292CEA969A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.528{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=BFF7DF7E350A49234104FC5231FDB381,SHA256=71EC5B3701739EE7B118F82E5777807D98A1EBADD653F7C8F8E04426A5938D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.527{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.526{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.526{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=AFB48455939DC499E5921A2674A2A6DD,SHA256=81DC1D6ED8134688188D28C955E7B2136E5B151F3C6A15A32F5F7E24C8B04AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.525{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C663931DB30D921F891EE6189BFD7BC3,SHA256=16CDC66E18BB343CF325528ACB23262B3AC75AD83CD3EBA693BF522E70B1C85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.524{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=34C998C43AEB6D57B61C620551D62F78,SHA256=8987703121C8953F330B1BFAB0EA6B4E8A4CBEF42C728C2949AB97F75BBB0080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.509{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A496C20BE662EA959E1CDD75D0E0E2C,SHA256=4AEBA6C2DB0FD27739249890C88CDD215FE212FF48C9B5BFF5DDEDD3AD583153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.467{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=72DDE7B3400E383F29F05C4F10195FCB,SHA256=218F4C30AB2D0190F1D3177160B006EA18E816BF5A6D075757BAB12A2C1A0EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.467{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=6178E970E152D2F67913D59980455571,SHA256=E70C5AA0215B2C96655C9327C71211118F9123E59DBBB57178213F207904567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.465{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5232BB7174DD038D5C75A78738E012ED,SHA256=2B1F6F950BE5B52FAA90ED5F217C9B2BDA70016A79F1F9C1EFC89ADC9B9F955D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.465{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.464{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=74340326CDB97A696E8E3A4B9CEA6BC0,SHA256=6DFF35E885CCF75F9D753991316ECC857A4B750245AFD0335D9D100C27B0234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.463{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=CA891458BF6FDC8DFCDEF9AC1E52C6B0,SHA256=5310BD754204761906DC9414919C3014BA333D40B0E19B782A5202496BD0B3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.458{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=EE73B8A7F569D124BF2C96E771FF3EBA,SHA256=65CA29D92983D14CB7551DD004C1CA8674CE233A19E7415FD5CABBD5E92BB3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.457{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.445{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=2902D4FAA8B0A0459D1D6B8B6FEBD9BD,SHA256=F5EDD0240F6995AA18D19480553CFC1DFEEF2DD42CC81CB4163330B8F6F4375E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.444{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.443{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.443{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.442{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.441{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.441{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.440{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=1028766506A3BA76D4B5073B51607632,SHA256=FB20EF2AFE0BA5F6052B9099208148BE587F2A8FBDA99BF0CA8D4D3EE731B011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.439{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=0B4FE3EAA77CC526D0096D637E741137,SHA256=8E264BC81686885DC6F1B8A9C85CEAE9FEC1C836E971FB483952240619CA9503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.438{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.437{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.436{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.436{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.434{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=406E2A001E0ED3AAEE2B64DA6C9F53F2,SHA256=3204CF21A190AFC5DB2708B31E23D17A3F5948B83E3F938CBC35ECBB9502065F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.434{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=73DC8D3F53B50FB0F1F8632C9530FD92,SHA256=833AC94BC689B785FB52EC5D18E139325EFDFF464D005116AF932573580FB379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.433{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=8FB7ED28969FCFF0F265748B21D63FB4,SHA256=7693D31323F34A333876CA25EEF7FEFE5D0287EC905B3DE6D9C96DCE35E546B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.432{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=D7C59E2F837B8AEEA2F739F53618E447,SHA256=2C1AD66C99A7BD1A29662EF88424B68483C5A3EEB994B7D66863002B2B698CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.431{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AC4E6267234C56AFD48EE9D2558B7781,SHA256=D3DC032A02717D6BC89667548C9CA780002F650DC925E88A119F887795CDC4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.430{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=26DD17C3AF92B5FD0624EF397C943D73,SHA256=CDBD69DD85A086163CD3C29F5C0A1EE64DE2FC9C4C60AEF9DF93F24EA552E40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.430{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.429{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.428{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=F3A26F8FE090585B0A7020257F93873A,SHA256=C8E29B88BFBC7BF83D7E2EC53C75CFA838876DA6CE30D5671EE8A89D30CE057D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.427{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=DB4E29051A6D4659A261EEADF4210808,SHA256=C331723689C2119D017566CA4748BE354BF1A25BFC1969316C06F00CE95A089F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.416{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=EE73B8A7F569D124BF2C96E771FF3EBA,SHA256=65CA29D92983D14CB7551DD004C1CA8674CE233A19E7415FD5CABBD5E92BB3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.408{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.339{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C663931DB30D921F891EE6189BFD7BC3,SHA256=16CDC66E18BB343CF325528ACB23262B3AC75AD83CD3EBA693BF522E70B1C85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.335{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.319{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5232BB7174DD038D5C75A78738E012ED,SHA256=2B1F6F950BE5B52FAA90ED5F217C9B2BDA70016A79F1F9C1EFC89ADC9B9F955D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.315{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.304{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=72DDE7B3400E383F29F05C4F10195FCB,SHA256=218F4C30AB2D0190F1D3177160B006EA18E816BF5A6D075757BAB12A2C1A0EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.261{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.135{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54914- 354300x80000000000000001527639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.662{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1053-false10.0.1.12-8000- 22542200x80000000000000002444411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.397{21761711-A791-6081-7E84-00000000BB01}2744self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 skypedataprdcoluks00.cloudapp.net;::ffff:51.140.157.153;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 22542200x80000000000000002444410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.335{21761711-A791-6081-7E84-00000000BB01}2744cdn.uci.officeapps.live.com0type: 5 cdn.uci.officeapps.live.com.edgekey.net;type: 5 e1324.d.akamaiedge.net;::ffff:23.54.49.175;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 11241100x80000000000000002444409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.846{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.846{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CD52CDAAE0A91D575C82E9A8741D78,SHA256=8A31F48A8DD68CC9D1309DFE0F482F1F662D71A6202902BA8D0B35BAD55F3F09falsefalse - insufficient disk space 23542300x80000000000000001527705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.888{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7D200A3625B13721457185C3013CD1,SHA256=F80E8EFC8432A30145A21322828160B95FFA193387DFA26555179DE121AE7F46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.579{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.579{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77D50A8A31A072AF78C463FC81B874D,SHA256=88896B783DCB86C15B4C13F432486ABFA2A5C0BF920951234C60D4751198A590falsefalse - insufficient disk space 11241100x80000000000000002444405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.013{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.013{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB7DEB4308AF2EBF6142D21117824C4,SHA256=5384FDD5B77A2031034441A0A450D7CC84D380FA62C7AE24CDBA46F0328538AFfalsefalse - insufficient disk space 10341000x80000000000000001527704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.553{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62D0BE9C195C826941F69CB9CBA5EE1E,SHA256=3738DBA21BE86277191BCE55561D85018F89E2E0A0E9B53E7273A1DB2BE959D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.055{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61100- 354300x80000000000000001527700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.881{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1054-false142.251.33.106sea30s10-in-f10.1e100.net443https 23542300x80000000000000001527699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.045{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:10.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:10.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F09AAC6579F7E0AB7810CE5D5FBCC7,SHA256=1F53E1822C622D05ED00CB39240C210C46E400D2D994703720EE5D883F083F21falsefalse - insufficient disk space 23542300x80000000000000001527709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.893{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E128398BA113F888BA094EBD8CA68E,SHA256=C5E9C68BFAD397414A2DDA6189CBC0D0A7A1C7BE41850566A56043C9A8A90469,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002444412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.185{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49267-false51.140.157.153-443https 10341000x80000000000000001527708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.142{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52401- 11241100x80000000000000002444419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.884{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.884{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5415428358E77058F5A82B03576D4FB8,SHA256=43257BE943F10B2BFBEB313C8A0AC8212604180930F1CC5BE3DA42CE9C11897Afalsefalse - insufficient disk space 23542300x80000000000000001527712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.897{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F0A2761FFDD4E1BD22023BC15A21D6,SHA256=C4EC93D94DA22C7CE46D82E7BC54DF044C5B9B029262A19543732E2623ED060E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002444417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.658{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49268-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002444416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF027D7DBFAB13D37B0CF7AEF710DBBF,SHA256=FF89DB162DB496D064B6AF3361354DBEAEB949A9051E54858B2D394D04E25F8Afalsefalse - insufficient disk space 10341000x80000000000000001527711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.586{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.586{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002444421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:12.888{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:12.887{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9093A2E4337DE2775D685EABB4464128,SHA256=36DE7C531068083032086C4920B20064107D1CA41B60DB8B57D4398808A902B4falsefalse - insufficient disk space 23542300x80000000000000001527716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.904{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A1E35C3869D889604979E6B3389894,SHA256=02C6E6F1ABC5E39555F869AF7D7717AED6524B328B271AB4BD271121C0D8D105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.587{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.587{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.205{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38933F24A8E07AACD480B7D9E4C0211F,SHA256=7F8E39E0CEFB39BE49F41E9A7503A2287C095B508978201A42DA840F46870B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.909{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4C3D325F9BE11BE87172F54F7BB839,SHA256=7314C5CCFC8A6F585DBDCAC7C14113B94610555021AE3614F2ADCC2DFAE1D82E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002444521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000002444515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 12241200x80000000000000002444514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000002444496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000002444495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000002444494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000002444493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000002444492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 12241200x80000000000000002444491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000002444490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000002444476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000002444475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000002444474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000002444473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000002444472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.988{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.987{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002444468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002444466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 12241200x80000000000000002444463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.971{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000002444462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002444436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002444435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002444430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.956{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001527718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.588{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.588{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.922{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60234112361BCF2657DCB32E2883FE0A,SHA256=7045548FB0F381F1BA26A34AD4EE4DFE923E4177BE95E5B33D933FA50E6FBF6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.958{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.958{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0EF2058943EBF42CDE8D8FE800DBE2F,SHA256=36395F152021761392F58F3D84F8C912E6F99E795675F75C03BE834C3FB7097Bfalsefalse - insufficient disk space 11241100x80000000000000002444527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51085C96C066DC57B564D6069096BE04,SHA256=27CBB204C7DF57FDEDCD40F8EA6A57CF32FDF10B966B3297891B6667FF8C1BA8falsefalse - insufficient disk space 534500x80000000000000002444525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002444524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002444523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001527722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.589{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.589{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.794{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1055-false10.0.1.12-8000- 23542300x80000000000000001527726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.925{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED64B54D9B4C2A8371526C60560859E,SHA256=72A04462776679B119B204FA96C7FD8639171519536FA1062BE79FFCEECC4E3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB52779F23781ECC920C02C2864A8A2E,SHA256=945C996FBF4EB402F9731F5BD2D01EE0AA051546B91F286AA8B06D743DD303B4falsefalse - insufficient disk space 10341000x80000000000000001527725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.590{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.590{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:15.058{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438\VirtualDesktopBinary Data 12241200x80000000000000002444542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:15.058{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438 534500x80000000000000002444541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exe 12241200x80000000000000002444540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438 10341000x80000000000000002444539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002444537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002444536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 10341000x80000000000000002444533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.935{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790A4D78F975D96EF6B9744FB1D02FE4,SHA256=301DD7211ECE9004764D825B0194A196114E3C24E32208F29C16135D0F10A020,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F58D664421A569F9334971B0FFF3361,SHA256=6C78F42C786B08935F0177C7E5EEE4442453B1B1B70DC0C234F2689ED1CB5852falsefalse - insufficient disk space 10341000x80000000000000001527728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.591{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.591{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002444557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:16.114{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4\VirtualDesktopBinary Data 12241200x80000000000000002444556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:16.114{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4 13241300x80000000000000002444555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002444554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002444553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002444552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exe 12241200x80000000000000002444551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4 734700x80000000000000002444550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 10341000x80000000000000002444549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002444547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.014{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.014{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C54519B259DAA51FD3527880800112,SHA256=322C43433B33E7451D39EC66F428D86902978B3E7DE1E9E65FA8DF301A2CB30Bfalsefalse - insufficient disk space 23542300x80000000000000001527732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.941{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDFE321DB9EDD1FFC3AE746A368A925,SHA256=5788576200C877E01BAD3A465C01D07B57E1EB3BDB0B81FCEE8CB50A3ED8029E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002444680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.691{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49269-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000002444679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002444678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002444677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002444675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002444671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002444669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002444664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002444642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002444639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002444638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002444637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002444636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002444633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002444628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.734{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002444619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.397{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.397{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65722BCAB2B80EF07AB886F25C03F545,SHA256=33C15019220AE0CA7AF512E6908260E1778896CE705D50E2B35B99EF8294287Bfalsefalse - insufficient disk space 10341000x80000000000000001527731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002444617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002444616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002444613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002444609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002444607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002444602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002444587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002444575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002444570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002444567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=180B0DB58DD2FBAD3BB53D5E25955103,SHA256=AA25E205053A9B394F11123263878A03F11695020C8DEFCB42479CFD7B7ABDB3falsefalse - insufficient disk space 18141800x80000000000000002444565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001527737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.949{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3DBC3D20C399C349C66E4611D60302,SHA256=2768FC15C64E7ED637CE472C9D9C9920C14747C7935350EDA821329B1C8098E2,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002444740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002444738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}45283924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002444735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.500{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.500{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C879CCDC34F990C64B9026526C986A,SHA256=28295857FA337039FBB78F876E6191F9365E441932497EB9B73130BE5BEF8B2Cfalsefalse - insufficient disk space 734700x80000000000000002444733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002444696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002444691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.421{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001527736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.120{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F7C450D4B77ACC20C850140538947E,SHA256=7DCA3F9B1D010E4E7C0B937154A665EEDF39D04F25B78BE160E8A3D6C20E8CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.119{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0792CF4D6902D3A5AE23A5D9F3FC76,SHA256=6E8223FBDF9EAD63DB8D75AC51CC17626FC1389E45060072523CC62A6449EFA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C8EAB23AEE1ABFA36A42FFDB7740CC,SHA256=5664531E9212F7EF77B058484FBC36C85F85B004654B049C035AD99208150B4Afalsefalse - insufficient disk space 23542300x80000000000000001527742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.954{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2DE5BDEA38A6D8647D9E1534C8CB1F,SHA256=573FD300809BFB4723CC914A109D4A88DA09CF97A0E6C1DED9B0D44CCD7B4C92,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002444861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002444860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002444859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002444857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.855{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002444853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002444851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002444840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002444823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002444819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002444814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.824{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002444805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.623{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.623{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E51C2A09BF2735D2086623CA97A96BD,SHA256=3E2192A686340D46D0B3DAF6447C63BA73713DAAC2D753F47B7212449CA60EB9falsefalse - insufficient disk space 11241100x80000000000000002444803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.604{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.603{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C6C05C572D505179760E97484D0595,SHA256=6E5AA3614CB6A4CEB659B0449643A434362073210E4893B7785D1B6CBD48EDD3falsefalse - insufficient disk space 11241100x80000000000000002444801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.601{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.601{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C5652391153816EE4FA0EB813E523F,SHA256=CC8814F6441A8810E754F193DA3BC6562F816ED422DBD744937A5630ECB2F7CBfalsefalse - insufficient disk space 23542300x80000000000000001527741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.912{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F7C450D4B77ACC20C850140538947E,SHA256=7DCA3F9B1D010E4E7C0B937154A665EEDF39D04F25B78BE160E8A3D6C20E8CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.593{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.593{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.692{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1056-false10.0.1.12-8000- 534500x80000000000000002444799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002444798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002444797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002444794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.153{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.153{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002444790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002444788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002444757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002444756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002444751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.122{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 13241300x80000000000000002444742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:19.053{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002444741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:19.053{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 23542300x80000000000000001527745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.958{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3577BCFC9AF90BC7CBC073E31B383B0,SHA256=1D9A2FFE10DE3718483E46532996B0957667FC9845BF198E01B68F03DE433D43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.841{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.841{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BEBDE4AC75B9AA0BAFAAC6B44879B2,SHA256=6476FF7FAD8D4A5AF5304C01A8303736424F2B396088BB92038F01129C00305Ffalsefalse - insufficient disk space 11241100x80000000000000002444921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.826{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.826{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37690FE909902B012E088402F430789E,SHA256=23C4AF597549CB601AEE87AF428923A315D0696EE171333307D3468232AAC574falsefalse - insufficient disk space 11241100x80000000000000002444919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.806{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.806{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7AC057697C948430E9BDD92FA1A9E5,SHA256=D2614B83A0D7CBD2F7521E4A92455A8D27B1A37D8F64DE25FB3FA3FE7227CCE6falsefalse - insufficient disk space 534500x80000000000000002444917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002444915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}64325004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002444913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001527744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.594{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.594{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.541{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002444911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002444910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002444909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002444907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002444906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002444905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002444904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002444903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002444902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002444901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002444900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002444899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002444898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002444897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002444896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002444895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002444894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002444893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002444892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002444891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002444890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002444889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002444888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002444887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002444886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002444885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002444884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002444883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002444882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002444881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002444880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002444879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002444878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002444877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002444876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002444875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002444873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002444872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002444871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002444870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002444869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002444868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.510{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002444867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002444863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002444862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001527750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.972{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3946B143C6E9F893BDBE626BC0FEE8,SHA256=449C1AAFB0FA6C66CC525AB269D5E21A10BC402F3359AED1CC9022CAD94253E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.891{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.891{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3D48E17F9F2F60CF8EF7BB39A52994,SHA256=95B2CE6FFEC981FB27F9CD81DC5CE47C84CC2415DEA48B60ED33464EF27A780Cfalsefalse - insufficient disk space 10341000x80000000000000001527749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.595{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.595{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.318{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15053BAFB995597864A8D662C904016C,SHA256=BBF1E1DAD5C72B45701ECB60425ABA7F723CC513BD65AA22A18A706CE9D6D4EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.502{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1057-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001527753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.986{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F012B1C275911D8AF5537F6B850EB1E9,SHA256=A2A67C7C9DCF7BF63090B60A4F02D355ABEA43828F2B45CE3F956A2080095B16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.911{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.911{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55543BDCF890E04404D5E6B5AC5936BB,SHA256=2EE120A147F7DC6BBA8341C57A905D5738209D111834403467D05CD42FE8E6F7falsefalse - insufficient disk space 10341000x80000000000000001527752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.596{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.596{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002444927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.592{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002444926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.592{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59E3761269D3729FFD777F05DA0FD4E7,SHA256=C04BD05E346C651F19A2393C91417CCEF1B1F64ACF96B63771B927C9F5B2E499falsefalse - insufficient disk space 11241100x80000000000000002444933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.933{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.933{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF7B3F9299227BD07C27791D5A4C44,SHA256=7D17837FB5816DAE033957FF6D8A308BD4ECD54F53645FE3202204E0FF15F5DDfalsefalse - insufficient disk space 23542300x80000000000000001527757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.991{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF7FAE5A7EBD5EB64215FD445848727,SHA256=C6A38F00562D4DE46CA9384E3E3BC9E883506E9F7593E047ACC06EF8038EB160,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.236{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A83599BF4ADF98460E636D5CCEF70B,SHA256=5D7FB5C0211A49402F2DFA2148EBDA093484503435292F698C043F46DE4F7F40,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.247{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.247{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2FDF40F6DDF16C5D16A1D40845FA989,SHA256=404BAE987AD1AFAA667307C7620CD376D43E902CE45B021E622EC109F6FE1EC9falsefalse - insufficient disk space 23542300x80000000000000001527761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.996{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD661FBB11D67471CF225D6DEB4A3B50,SHA256=78FEB597B625B83C40E5DA246C3184D8C558CF525C531326BF937DB3D8EFE8BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.826{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1058-false10.0.1.12-8000- 354300x80000000000000002444936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.706{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49270-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002444935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:25.083{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:25.083{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF75C9DE5EBCA457C065A518E571309,SHA256=99442C8BDCAD11C09C4A6F6F9C2CEA52E9612A57D02D89F4CF006D2207309732falsefalse - insufficient disk space 23542300x80000000000000001527764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91203D52759D96116B76E82719AA90C5,SHA256=8188A46F28A6B919F36CAB929873288939A3065EE17149BB4D6644C5B2802F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.598{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.598{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002444938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:26.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:26.118{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E974013D8290A47910FBD13D653D5062,SHA256=711B9E3F806B928DD24A7E9714F02A26D575CE1CC70A9B905535D2E6194A255Ffalsefalse - insufficient disk space 10341000x80000000000000001527767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.599{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.599{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.004{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0A767FB99DFE5BEA539AFCE2A83482,SHA256=6034FC3450410F8222FA5E329C3CBB621C1AFFAE978875C8453C974E1FF69296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002444941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.272{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002444940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94966FF6BB640096CD43ED8F5C4D66BB,SHA256=D1C61278070868DE62B7C730EB862CCB18E722148D98D283816D4109529520BFfalsefalse - insufficient disk space 10341000x80000000000000001527770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.600{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.600{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.019{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419E7598A482B67456164CB901A6473A,SHA256=5B73B5CC2777E41298546AA8216D0D5704C001C9E5CD4C3820B5D06232146FEB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:28.228{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:28.228{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6573B66F1AC6FB03D088BE10BF3F02D6,SHA256=64C63E4B1B97DA9383A272A43D7D83C459A0A969E5ADF25CE4F46E2E3721CB22falsefalse - insufficient disk space 10341000x80000000000000001527773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.601{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.601{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.025{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452FC5987FF3F6FA9F3E782A212B75AC,SHA256=111A6A2F0CB3CEE3F3F5BCF32A8A218056DADFE1CC9C4199DD6F86211F82FE98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.261{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.261{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEFA4538C74915C63D4077C85BA6E48,SHA256=1D97D2700B9518AC0EA82AF91D1CC437BA209719FCB23975AE9F9FC2930888C6falsefalse - insufficient disk space 10341000x80000000000000001527777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.602{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.602{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.139{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68FBB99B03406B29128490C8381F4E26,SHA256=7981AFE685C0C2C8A2302CBF2D591AC65E86767075BA57AC0AA0FD074A498D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.028{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5650F760F17F06ED1D93EC96658E9363,SHA256=F84B15F144192C76F032675AC20E7CEA1A1798CCA40D2F633375F5B0ED817EED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA8519C74A6BC5050886831336CC55F,SHA256=2CA15354910F1BE38B90E620FE48B93D32EB3A764428C977944920BF5F38C345falsefalse - insufficient disk space 11241100x80000000000000002444945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=745A97498D2AEBA3E739E2DF07D78EDF,SHA256=DD11A87F06E0A66D9ADB8DEC1D8139648839DBED0A812191B43F6903EA1C6A48falsefalse - insufficient disk space 354300x80000000000000002444952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.536{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49271-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002444951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:30.264{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:30.264{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6744723E007CE5C92D0ACD63BEB57512,SHA256=9FBB71B258329440939D426287D4975BD496873C8223924645F52F3D074EAD60falsefalse - insufficient disk space 23542300x80000000000000001527782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.728{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCAB4836FF74519B335AB02712294001,SHA256=84008F6E75EB4F9FED6C774728F826DE78C5F51B95F99164CDCC5DDF7E37D743,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.603{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.603{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.728{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1059-false10.0.1.12-8000- 23542300x80000000000000001527778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3C13A93264AE5983B887366A7E3846,SHA256=FAAE3AB2EF8FA71B6E5720813CE81BD4DBC1FA5D26668029830D2186DAC86A54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:31.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:31.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683B1402213D8D698B1B5D563D978A31,SHA256=88AEB0B2439F4DAFA65861395C125DB2745CED8ACD9B7FB8D661A85923D25035falsefalse - insufficient disk space 23542300x80000000000000001527786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.743{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=266DF8F00E53806C3BA79BC280A29AD1,SHA256=C93F9F93C2D8D36C3066F94CE7FFD7A4A7C93B5166E55D623624439241ED0340,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.053{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD74EB9690291A5CB0A038F199B64B7,SHA256=12F465E0BB5BC8452563B31294065F0A5DF7AA0172BF8AE8BFB6B5598BD295EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723B483CAC2F8D9149C593084D3890A7,SHA256=B78EF295A2612860344F9E2B39ACE5B51C86E30D1C7B0E6265C64C2B9B011929falsefalse - insufficient disk space 10341000x80000000000000001527791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.368{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1060-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001527788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.368{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1060-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001527787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.063{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A68BBF05222F60F1B8C33C4C0106FF,SHA256=97BB15F1A2B1D2B2564487F4BAC6B03013C32D1A0DD062701AAA447595E9DFDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002444978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC2211BB7BFD06BC99091EAD3A68B644,SHA256=411EA54BEE27BCB359F3A91A243B27DCFC24E1838B8B2B48F65ECA574307BB37falsefalse - insufficient disk space 534500x80000000000000002444977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exe 11241100x80000000000000002444976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002444975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC2211BB7BFD06BC99091EAD3A68B644,SHA256=411EA54BEE27BCB359F3A91A243B27DCFC24E1838B8B2B48F65ECA574307BB37falsefalse - insufficient disk space 11241100x80000000000000002444974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000002444973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1CCC32215D012AE254437015EC3985F,SHA256=B2C320FB630EE577985C4D2C238AE3A6D1221CA44942898896F1BEC19E816A7Afalsefalse - insufficient disk space 12241200x80000000000000002444972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 13241300x80000000000000002444971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data 13241300x80000000000000002444970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data 13241300x80000000000000002444969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 13241300x80000000000000002444968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201) 13241300x80000000000000002444967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000002444966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000002444965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323) 13241300x80000000000000002444964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0 13241300x80000000000000002444963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005) 13241300x80000000000000002444962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data 13241300x80000000000000002444961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003) 12241200x80000000000000002444960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB} 10341000x80000000000000002444959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002444958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002444957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002444956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4169 (rs1_release.210107-1130)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=A0180EEE2521DC7847458E0BDC673DBD,SHA256=987A1EA9876E266B68CBB962BECF4BDD8794765DED0ED15B55490A30ED00DD2BtrueMicrosoft WindowsValid 734700x80000000000000002444955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 11241100x80000000000000002444989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.302{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.302{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187258BD04EB38D6604118E8788739D7,SHA256=6F590FFE5AC4EB9271D88717D4636911A3417131914C9D4EE7CF6F6CA85A0EAEfalsefalse - insufficient disk space 10341000x80000000000000001527794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.605{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.605{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.070{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0564832A40428BA21288469E20810A,SHA256=CF79BFCD8FEDF55CEFCA92D10A73F6F6F443AF96AB32190438A56590D124FE0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002444986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA8519C74A6BC5050886831336CC55F,SHA256=2CA15354910F1BE38B90E620FE48B93D32EB3A764428C977944920BF5F38C345falsefalse - insufficient disk space 11241100x80000000000000002444985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000002444984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B0D7A395FD094065BE8DE801E4F1E1AB,SHA256=6DD3D45764BE980D32D4DA048E929357AA5BE08A438ADAE359D3FB55CE72C93Ffalsefalse - insufficient disk space 11241100x80000000000000002444983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000002444982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBAC73DE9072EE017282D3B992793D06,SHA256=18F3B2D824EED167FB312E003C16029B1476C0539A9F6EE6C2603D0ED9E3D133falsefalse - insufficient disk space 11241100x80000000000000002444991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:34.374{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:34.374{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0974602B0A4C7C799493B9E473CA0CB6,SHA256=B09C522DF6391A1CF7C2AFF3D1D8C757EA498166BBC0661BD06BC7C1CE8246A8falsefalse - insufficient disk space 10341000x80000000000000001527798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.606{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.606{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.227{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC1F24C3F8E2C92D3EF6A34B0CF7302,SHA256=DCD56F609759271A1EBD3ECB65689FE92C39687F236188C1D6CD767DA6733DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.077{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB45CC28EC2A0AA0322593AFCCCAF4CB,SHA256=7730E0E5007972586064D7973C96D7A2083C7CEA9AAE9E158F88ED60B030E650,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:35.476{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:35.476{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA29FCC3F4411E5BE73A764CB43E93A,SHA256=905CC4CDE6A3B17E1C91DF622A2BF0C566E315B075981618F34E26B4802EC7A1falsefalse - insufficient disk space 10341000x80000000000000001527802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.610{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1061-false10.0.1.12-8000- 23542300x80000000000000001527799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.084{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BEB260EA43881E8C99E814D5C6D4CF,SHA256=2F742B16A932EED291BA5B89D3A6CE4B5152D66DFC9F650D660820C3D74A2BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002444992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.563{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49272-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002444996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:36.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:36.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CD4DBE3FCD0113BC3575C663AC1426,SHA256=65BF3B7C7496D9D6E8608DF52001AE6965297C5D7B3FF11A4DBAE9AB8A873423falsefalse - insufficient disk space 10341000x80000000000000001527806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.649{761B69BB-818A-607D-0B00-00000000BA01}632760C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001527805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.093{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9786C63EACA0196EF3BBE7FD581CC8D8,SHA256=95249CBA55CCFECC5BC982E154B5F2DCD2E4805A23CC164B495B15C19436C508,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002444998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:37.512{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:37.512{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F35EA3DDE2201978667B1F4B62C09,SHA256=63DBE206A4CBC582264554609576E6A0935D81C992EF6DDC502C2C41F4E28C65falsefalse - insufficient disk space 354300x80000000000000001527814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.144{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local1063-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001527813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.144{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1063-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001527812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.137{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1062-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001527811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.137{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1062-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 10341000x80000000000000001527810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.608{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.608{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.565{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6CE9C22D8FACD83CE58164575070392,SHA256=F61B696EEEA3408527705B2E2A93C386797A58456E00BDC2C2FEC3B84799C910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.103{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C4CCCFC1B7FBAC9B1A2EEC4A85938E,SHA256=7D92CCAEAC772DF3EF220C0EBA18E2189CF6D2094729BDD188C6C6135B536E36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.515{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002444999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.515{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A94D11A6CCC5EEFF138AC5FF7747DDD,SHA256=E2E83C79C3D01ED3A51250C1990EA532604D284A5DCE3320F8AA93387157370Ffalsefalse - insufficient disk space 10341000x80000000000000001527819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.609{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.609{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.241{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1064-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001527816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.241{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1064-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 23542300x80000000000000001527815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71E3391F2027B5AFF62E30F101E49CB,SHA256=42CAF887632273C3E19CD0CF3F614F7F3021C2D6EB9510B479D0F880EE78E2FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:39.517{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:39.517{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF9CDC20198BCF7BDE53D4F66F3EBD1,SHA256=989531871B3776DC359F57F51904DF12F5957A16B82099A868DBB5FA8EEDD0CCfalsefalse - insufficient disk space 10341000x80000000000000001527824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.610{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.610{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.241{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11CB86A88C27D95AE98CE779FDA498FC,SHA256=8E3100304B60134F4D8AD62B47F10B0649F25BE1C2C29871A8ADFE87110EEFDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.558{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1065-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001527820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.116{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61384D2D1C3060CBE7C2D5981E8F55AA,SHA256=FEC3514F0FF44157F4D573CCDE0D85783C4590731EFF8B3F71256DD15034FA55,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.519{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.519{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67C3CA95569777FDDD2D4C385723E70,SHA256=0CF01537E7BF17EEE8D7897FC634B9CAFDDAECF32A557148EDD162A7470A5A45falsefalse - insufficient disk space 10341000x80000000000000001527827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.611{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.611{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.121{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208EC98EA851BE1482A182F51F1FD937,SHA256=A2B095638C3028D0555E08DDF03C66C4B2DF2864BCDB2FCABE382C20D1CCF662,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002445007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.577{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49273-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002445006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFA32069A4C20F4DFD3A2BF11D85A26,SHA256=ACB30DAD129B687AC37D2791CA02390C7DC12CA606A84CFE48B4B68886ABE8B2falsefalse - insufficient disk space 11241100x80000000000000002445004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B33D183D5AF43055843EABAC856BD2F9,SHA256=1AB5098FA83DC32D58401CDE06CB1AC1421D1716687DDCF5499BCF0163F37B4Bfalsefalse - insufficient disk space 11241100x80000000000000002445013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.575{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.575{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6B2BA9014B694D5DFBD83D365D1795,SHA256=2AED308B88E09D052021792AFCE71E49AFE2CE63411D05358995F97F59C54D10falsefalse - insufficient disk space 10341000x80000000000000001527831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.612{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.612{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.140{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66872997587DFE97A89084741B4177A2,SHA256=2766134F49538426A7926EE839A40BA419C451EBF3B8C57BB30B0DB4BFD71E45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.306{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002445010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.306{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000001527828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.747{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1066-false10.0.1.12-8000- 11241100x80000000000000002445017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.609{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.609{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71275C44E40E5E592E2A5DF975763CAD,SHA256=EE76E4A6C052C155D012456B4DBC20022C02FF4CD3DD1447EB2A6D68A42FF8FFfalsefalse - insufficient disk space 10341000x80000000000000001527834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.613{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.613{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA7AC7198D63149BEAE3742CA2CE989,SHA256=09FF3956BB71AE2E63B7256DFE153FF5E8C218457F201DDA6250449D40682463,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.293{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.293{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFA32069A4C20F4DFD3A2BF11D85A26,SHA256=ACB30DAD129B687AC37D2791CA02390C7DC12CA606A84CFE48B4B68886ABE8B2falsefalse - insufficient disk space 11241100x80000000000000002445020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.611{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.611{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E93EEADB4DF0814AE61B664EEC91E9,SHA256=2A7A576B516513BE574B05358E06D2133F259749849B75661CCD34F3F84F2DD3falsefalse - insufficient disk space 10341000x80000000000000001527837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.614{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.614{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A668BBED854D0C9520D712D7E823B,SHA256=06B3C8FD4FE364829481A414DAC3F09A3254E0120AAB99329CD91534497CE46E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002445018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.767{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49274-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002445022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:44.614{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:44.614{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C7343F0241B31A1555538F9E1FF678,SHA256=1A07313989E7BE7C7C162B07C60B49047B0B9FEB7927B0680A45B0E25D91076Dfalsefalse - insufficient disk space 10341000x80000000000000001527840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.154{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDC1BE94198383F2A83B0EF33417305,SHA256=D3E80596F6072A20303A60B7CAD97CB224DEF1CF0EC61C8FD1883275DCE4AE5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.632{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.632{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A6615FCD8D793CD532B5906420A2E,SHA256=8715E679F130305B1BF3052C8F1AEC479F7C686973FA7E708C2309E1E1A731A8falsefalse - insufficient disk space 10341000x80000000000000001527843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A252CF49AD0ABEF978EC133E340442,SHA256=CADF92AEB5466CFB4628A85321557919F3A1D0A9F069C34F8C9AAB29AE73BFB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002445025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.590{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49275-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002445024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.115{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.115{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE5A96730B6FCF66283504A89BABC9A,SHA256=7AFFA07F0A942AEE2D232544938F73CD94D154E99BCAA8FF9A05A1E78FD9B11Cfalsefalse - insufficient disk space 11241100x80000000000000002445029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:46.634{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:46.634{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464E8F7707F124E6B8BA94707C8593D0,SHA256=2F4E95BF31EFE0B3811E8820E46E3B141CCA97351C0677176A1776F075F3F517falsefalse - insufficient disk space 10341000x80000000000000001527849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.616{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.616{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.631{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1067-false10.0.1.12-8000- 23542300x80000000000000001527846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.171{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD61FB7B763E19CCB9BDCDA346E145CF,SHA256=4F9C753A094BFF57ABB9B90A22240059A38B0782A2E39BB995184BA99EBF826F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.059{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CD9ADC9FCDCEC73E688265C5F6668D,SHA256=91CBA28BCE9EA646E2EFD0515888A4E0439296E28861213EA4AA3EA1B2154CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.058{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4629168F2344A653A9B2603BD0ED72,SHA256=62A4CB7D13C6AAA745A7ACBA3718AD747157088FB2549B2D2477E6EDAE03BDC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:47.773{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:47.773{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFAF5DCD6CAD20FDADF87B0C15B099C,SHA256=273F76AD3C878832115FBF141BA81E58D97CDC69CA8EA44B21D98BD525057557falsefalse - insufficient disk space 10341000x80000000000000001527852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.617{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.617{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.174{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E92A42FEB55DA65272508ECE9996BE8,SHA256=C2C199B3E38CDE17DCE09E28BB029B96FBCE9A3759F7B838783D08F220148190,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:48.973{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:48.973{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C35A994B5BAB5E8EAB7530A523C367,SHA256=0252FCABB0223C182E120E5C6BC88A326CE5262246008766440BD93CD2C0DDEFfalsefalse - insufficient disk space 10341000x80000000000000001527856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.618{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.618{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CD9ADC9FCDCEC73E688265C5F6668D,SHA256=91CBA28BCE9EA646E2EFD0515888A4E0439296E28861213EA4AA3EA1B2154CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.178{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73B7EB986E8E4C4E81838C6210A7731,SHA256=FBCC8EFA8355240DD611AD420DECF4598B823BA4832BF6B27360AED808EEA7EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.994{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.994{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB8A05FD5300C98FE0BBA9F64B146F5,SHA256=13883DC8B7CC32843520B6F988471ED94629EAB893464A8B944410BB2DED6CBFfalsefalse - insufficient disk space 10341000x80000000000000001527861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.619{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.619{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.610{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001527858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.556{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1068-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001527857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.183{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66286E5422C097D4015FBB3D6D068D4,SHA256=5BDA29A6E718AA29072E5790F878AC0C561473912E22A58C44E173193DDD019D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.620{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.620{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.603{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10104C07F8E1F6DF8A8B788CC71D6C27,SHA256=EF4D230A20C36E6A68197ECD27810EE7E11321187A318FFE82D961AA9D6203F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA607D56FCC9FFC6D26575D868929162,SHA256=4FD401BEEBC77A5916C595AA21F418B511A7802CDDA0C01DE2486AA1E5FBE649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001527869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.615{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x80000000000000001527868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.612{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Config SourceDWORD (0x00000001) 13241300x80000000000000001527867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.612{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_59F158BB-F4A4-42E1-B81F-FD8310C406A3.XML 23542300x80000000000000001527866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F853674253F9DA24B27328524E56B,SHA256=43952C88F675CECC958D80010BFADFE708CD7E41688F7C2DF38A0796EFACDC27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002445042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.587{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49276-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002445041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5F1B99F5038F1C6185A112B9C463C8,SHA256=37C593C2BC28505D301C258E61FDE5D1A880CA1370A88DC52D41A988E57F47A3falsefalse - insufficient disk space 11241100x80000000000000002445039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D44346392B9EF31AAEB18A5F50022C,SHA256=03D0D2D1BF5B190BBA6140E89D135419B2E801232CE09C49B47A51F73DFE3DB3falsefalse - insufficient disk space 11241100x80000000000000002445037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.012{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.012{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AC06DB33B624A6AC55611A3FF21197,SHA256=00A92FE552D728934E0BD78A20AF453477A724A369D4487ABA5F76EC60769DB5falsefalse - insufficient disk space 354300x80000000000000001527890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.209{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1072-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001527889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.209{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1072-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001527888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.194{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1071-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001527887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.194{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1071-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 23542300x80000000000000001527886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.641{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DBE73F17CC6054C15AC2A85DBDA995D,SHA256=F04A57FFADC68083B3C5F78B35C915CFAA7DF24E90DC463A20719C22533F7AE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.767{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1070-false10.0.1.12-8000- 354300x80000000000000001527882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.188{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1069-false10.0.1.12-8089- 23542300x80000000000000001527881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.201{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41DC566C59C121F25CA7AD416F4478,SHA256=B6C738DE166FE6C5DF647C15768C45437550240989E15DBBC3E64A00B334D943,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:52.031{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:52.031{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6AE817F5D57CF84C46518CBD296701,SHA256=A006F2D96C19640D05C347902F4920A465D7A71E54772F30458A9C729F42E1A0falsefalse - insufficient disk space 10341000x80000000000000001527880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.096{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.093{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.093{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001527872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.018{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=351B455F32DF17FB35BE8B1B944E4A80,SHA256=DD8F4787A4A5D3CB53BCF9718423476A106600B552E6E323AACF12EB48CA33FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001527895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001527893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.214{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1073-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001527892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.214{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1073-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 23542300x80000000000000001527891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955329E8180D40A5C4674B3D04553F1A,SHA256=D78D43B4993F7626359E17CDC1D902E2BA6089287DCC0E884074C5DC278A9636,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:53.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:53.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902B4A4F471F31CE7EA90FF238D21CE6,SHA256=EE348AC6BAB18CA29E89E6837B7D580756AFA1BAB65F5205CC0775D3C48F5EB9falsefalse - insufficient disk space 11241100x80000000000000002445048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.184{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.184{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B48F1582F9B6BAEDA1E11051C864E79,SHA256=0AF60AD171E5BE7772E747FD599004DA750E9997C29DA7560672D5E47DFED608falsefalse - insufficient disk space 10341000x80000000000000001527898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.214{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0493DB67496695393D2D45F8BB48F8,SHA256=4968FB9C51C9907655A3813D04DE44B408418A6EF6E4381FEE15312A6BA0EB5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:55.238{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:55.238{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E98B7D9BF535646FB4AB8917E83619,SHA256=4F0826B4FAF3F093A52CD4C7F10C846E5EEFC1D08AAC29051001632081D1FE6Dfalsefalse - insufficient disk space 10341000x80000000000000001527901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.224{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3338B07F7B42B00CC4F72DAAFBC5C4,SHA256=E129D1024BA06B7AD265496DFE0C4C473077364BDF835E039980B1C07288E1D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002445057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.615{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49277-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002445056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.241{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002445055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.241{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE4054EF920C1BCFC0098E7839B89E,SHA256=7C8ED9FAD83B9A667F1B75DA14AB6DCE70DD4C1964382AD2130455578513A381falsefalse - insufficient disk space 10341000x80000000000000001527922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.893{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001527914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.623{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.623{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.358{761B69BB-A7CC-6081-1483-00000000BA01}5412976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001527911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.235{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861CB9B216AD620C1E137572F392D530,SHA256=4E625CD4785D82DCBB89D36B8AD71F39CC80AFA65EC910CBBD3283DF90F1974D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002445054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760023261B3A7DE454796B0CDA52E493,SHA256=D3B6ECF2D63BFEE75B3840C5AD9A18BCCA54137465C9C094AFE3A660F4E1B830falsefalse - insufficient disk space 11241100x80000000000000002445052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002445051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5F1B99F5038F1C6185A112B9C463C8,SHA256=37C593C2BC28505D301C258E61FDE5D1A880CA1370A88DC52D41A988E57F47A3falsefalse - insufficient disk space 10341000x80000000000000001527910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.214{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.213{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001527905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001527904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001527903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.211{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001527902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.208{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8F9D0AA268E0BEBB8F4C6119DAC8BA,SHA256=B6DAA730AE8F5E54589D9263D50FC259A099DA39CBDE5E623007DF841DE3587B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001527923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:57.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59AA56377B37B478D46EEA729A2C16F4,SHA256=505279DB4CA9B57DB58E7461E5DEB8EA3AD4D54F1747C0D7F07F461A7F32F445,IMPHASH=00000000000000000000000000000000falsetrue