354300x80000000000000001550570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:17.642{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19371-false10.0.1.12-8000- 23542300x80000000000000001550569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:23.660{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F9067D9D1D487A5E8E248F0BA560E7,SHA256=F253A5C35AEDBBE560FE968B37E864487F5FC289A97AD80C49D0E3A8811E3EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.673{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FE1AB06B0519CF0FAF1FBE9BD2EFA,SHA256=3FBE85EDAEC8065BB8AC017444A52CEFD57E9EC7F69E6E5FCF6F8BD867A51917,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.138{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.138{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E47D8F43DDD1256D2646E8EDE1950,SHA256=2B875D525735358A1528956FD99D77EF4772C91EF2F1BB6C63DF6015ADF4F752falsefalse - insufficient disk space 10341000x80000000000000001550572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.679{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54A6258440743450374E3FE6D4CA1A9,SHA256=405F2550FC7F7F0AA233963F27B8F630292FF3ED76A5A9772A148C4E51DC5774,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:25.141{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:25.141{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238EB56ABAC657B73D2851065D28BB85,SHA256=1AB8AED7833543D6A8C7A9B2469673F1E0A33BDC002E707A755168BC7FC7E747falsefalse - insufficient disk space 10341000x80000000000000001550575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.680{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE4956ACF325E456DA226F6E6F5FB3,SHA256=1E17B1EE3B55F22CC38CBA20BE468CCB4CCAD2E7AE6EF13D6FC0518283C70E6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.650{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50207-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.243{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.243{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E600EEFF894F70E9F26B6B632345FB,SHA256=BD6804C1AC07078F4964527BA3A3A9FBF43736DB8E0F77B5F062034C6CEAFA29falsefalse - insufficient disk space 10341000x80000000000000001550578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.227{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.227{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.228{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.228{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251B4C5EEBE8789F526DC22CED464D9B,SHA256=CFC04AAE10BA1B355CC7185CCBA49AFB69A50FF79CD970FEC978AAA4014AE81Afalsefalse - insufficient disk space 23542300x80000000000000001550582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.690{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64802107FF599DC138B3633D5C02B74,SHA256=B5A526030E4E9F4C5A3CCE66BE70E2FB210233C0105B343FCD1A3DE59FE34BC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:27.246{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:27.246{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3550F65643ED41DD698F992DF04B343B,SHA256=9E1E9BD9B6F99980DEE79F869F896FF4E40ADCC3E335DB6AEBD9D79EFC368A7Efalsefalse - insufficient disk space 10341000x80000000000000001550581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:22.775{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19372-false10.0.1.12-8000- 23542300x80000000000000001550587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.693{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F11BBE404E9B5D3AF240E7C1C71EFE,SHA256=B609222FDACB704418EB154C9BB03519633DA04D89F2ECE1F3C2025651C5D0DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:28.248{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:28.248{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C12BE9C6448D6B74683E48A4DF31908,SHA256=B7BBA28369E9C22AB0CBDF08078D56E3FAEF10E891349FFDBE171F5BBD90AEB4falsefalse - insufficient disk space 23542300x80000000000000001550586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.241{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8395E362765C047E33365565B4CBE346,SHA256=65957000AF7D8D8520B7C29F168E8EF48E28D12F5EF7F0FCAC14746372175913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.240{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1732CB889C896C15D1DE4551DAD957CE,SHA256=84ED1D126AF069A2A2859440F03F396965A1EFBCB69578C5AC606E40B78859EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.696{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFC26619BF676FD6A6E8386F5868F8E,SHA256=8CA98D290CC40D574F5B798ED36D4FC3FCDAACDBD582F814B72BEC45EA5AE3FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.250{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.250{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D532B207575EEB6EDD41D8B01D8107,SHA256=886B255DA9F21994376C74967256A8A202E46FE661A7EE52C727FEB871447C88falsefalse - insufficient disk space 10341000x80000000000000001550590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.699{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D38532B7719222C8888B37417E00E77,SHA256=88FBD38C20DCEA7ABD2EFC1DCF045AD0E4E13EE12FD78C2E7D908CE09E2EB100,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:30.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:30.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC6F8582B6B9C2060CE6099E692E621,SHA256=3A5D6EA30AB53DD29B467AAD99B67ED171B5E692CBABF44C7B80CC302278BA23falsefalse - insufficient disk space 10341000x80000000000000001550593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.588{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19373-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001550599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.588{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19373-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001550598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.706{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F347309222D7F2F8EDEA59C30E7CDAD,SHA256=AD3868D65510C80C4CBC490D75804F4235DBF1C5D9B863DA76F2DB484188DB35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.662{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50208-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C065B773603B1579CC1BCE31A0848888,SHA256=1AC391E2FBE74365025B4A2C95475976B3F59FB2B2337EAC0767FCC29D6FC5CFfalsefalse - insufficient disk space 10341000x80000000000000001550597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.230{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.230{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.053{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8395E362765C047E33365565B4CBE346,SHA256=65957000AF7D8D8520B7C29F168E8EF48E28D12F5EF7F0FCAC14746372175913,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=623B95774ACACD7361B67800A409AF4A,SHA256=8F46AAA275A030CDE1805D9A7E284CD109EF0CE5373C7F3F7EB7D12437BCBD28falsefalse - insufficient disk space 11241100x80000000000000002496206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49C6F7DB3474376B588AE8AAC6C8BCD,SHA256=A04661F0B0ABF3C92FCC0179F3D15143E92C978B265A5553916F0A155B1F7F27falsefalse - insufficient disk space 23542300x80000000000000001550603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.722{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EB0ADD3E9112B80FF13E970DA0E809,SHA256=C98F02FA82673A53AC5733A4595CC0A69F50C4F395B8E4224853D81FE1D48636,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:32.374{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:32.374{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D4B2E1E7011C0688D596563A929EE3,SHA256=EE5F7A6C4468F060FF74731BC510BC2D77E8EEDD12FD4979D5A3C46975FDBB7Bfalsefalse - insufficient disk space 10341000x80000000000000001550602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.231{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.231{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.074{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19374-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001550608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.074{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19374-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 23542300x80000000000000001550607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.729{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C3D7D15B8B48558FF0995EC9207A37,SHA256=0B52B964FB0C951DB5C970C2BFD4B7BBF829BB3F005C0A39656DFC8DA3832D95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:33.408{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:33.408{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E0216BA426E7EC2C02A217DA671C30,SHA256=CB66A8BAE289C58DA46735CBF6B8137744A05880FAD5BF858561C6A243EBCD23falsefalse - insufficient disk space 23542300x80000000000000001550606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.538{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=789F5CC6DBC874DE8C2A2B70FA6D561B,SHA256=37A5B8ADF0E036DD7B248AEE63149FCAC0B8A6517EE02ABDD7DF43A5B024F7AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.232{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.232{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.439{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.439{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB72DE946258A9D9CA8E7BDA28D5F2,SHA256=C645F6C48F02F8E45EDBA56C305D17123DF1EDC3878F9CB75788EC0F6018AA0Efalsefalse - insufficient disk space 354300x80000000000000001550614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.673{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19375-false10.0.1.12-8000- 23542300x80000000000000001550613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B53E513825880FFE69E5E168E9493C4,SHA256=55AF0BC6AEB521B961A0C733B806677435B9EC7CAB493FBC245880DBA8FD704F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.748{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46EC3837CC6503DF49B8E551B72671A,SHA256=C4BC8FD1F3AA067BF2F6464A46A90E70C941D616D14047DCC50FDD4B5F86915E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.233{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.233{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.757{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FF6985910946E20E868A11C213169C,SHA256=57DCFC807333281D5157FAA927C853853F2EF0ADFF0ACA43261BD42CEB91B74E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:35.439{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:35.439{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2581C92E1D62DF9AAA8FD63BB822BE1D,SHA256=090CA628D6A718100DB954C854334958CA91724C1182AA2A76FA511FF6A0C13Dfalsefalse - insufficient disk space 10341000x80000000000000001550616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.234{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.234{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.323{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19376-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001550620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D016F6100C82A91EA7BAB1E4EF625D0E,SHA256=5E7886BC9C6034E4ADFD9A62D5375A36FCCB82EBDEC18E69008E14D0AE64268F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.523{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.523{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981323B55DA3B35182126167AAF052D3,SHA256=486916697D4AA9D4732DBD3CC26D1A9B9FDD2C2F9C1371CC3BE03093E698D111falsefalse - insufficient disk space 10341000x80000000000000001550619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.223{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.223{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=623B95774ACACD7361B67800A409AF4A,SHA256=8F46AAA275A030CDE1805D9A7E284CD109EF0CE5373C7F3F7EB7D12437BCBD28falsefalse - insufficient disk space 23542300x80000000000000001550624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.765{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D932594584DC671E6B6A58763B97939E,SHA256=0AC318B8276528CFCD144547C3AAB8FFF58EADC833A58F34863F6D878F7AF271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.664{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50209-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:37.539{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:37.539{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506F06068119A44B7E25EBD9E545E218,SHA256=5A898F916EC488F756F88F13E1B7F730A4A0BFDCC4F276E22106C1E315AD4F43falsefalse - insufficient disk space 10341000x80000000000000001550623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.769{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F0ED3F9B26A2AE2F7711A30A1D005D,SHA256=657201D5813DFC2AD159A3651317F30FE29719B170224CC2FF24755A5521A03D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:38.539{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:38.539{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DE49122B2CDB1F288576C324B854BF,SHA256=64A1BB790FB7617B24CE44DF90424A6897760834DCA99D5FCDA1B7BAA751FD39falsefalse - insufficient disk space 10341000x80000000000000001550626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB42E2030F4C1E2AFD2C4ADAF472D80D,SHA256=13B288961AAE6FA764836B3EBF4EF740291B8E7C16FE496CE4F6C67E0D8C33DCfalsefalse - insufficient disk space 23542300x80000000000000001550630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.773{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBEBFFC33A6B3FC111BD0066F4B20D3,SHA256=B022F1797FA6DED777A16CFAD2DB610DB8A3143188CE7CA58C8895D17AD6741A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.557{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19377-false10.0.1.12-8000- 23542300x80000000000000001550636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.787{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73938CEE823384ED8123A1AA429E85,SHA256=25A9B7C21CB51D3BB428537DAC933AE13117B5D7C459D00F939AEAC913C542AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:40.574{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:40.574{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BDB3778540DB1C2CA3A261539CDC5B,SHA256=8E84C92C74BB5879E297472A0425AE9284A552CE9E8B95DEECBB1D93332A7F4Ffalsefalse - insufficient disk space 23542300x80000000000000001550635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AB3A7E97B94BE3BA00DE645C3F12CD,SHA256=17A448435EC37D9479F298A32ED2948D8600DF75AB25EFCAD36F297E5DABB3AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.237{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.237{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.098{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AB3A7E97B94BE3BA00DE645C3F12CD,SHA256=17A448435EC37D9479F298A32ED2948D8600DF75AB25EFCAD36F297E5DABB3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.097{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106FDE56BF7C1C835D417FF9ADE0E841,SHA256=98A4680D4E4BF87A64D1A7DB084A9FE8C27CD9D93E1C51E6BDBC4501367A4BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.987{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E1D44B2D64C1D17439EDA3D9515D69,SHA256=B70DFEF8ECF97B44F23AF6567DC54EB490DCE9381DFFDB0A1471C509D86E1DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.850{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local60854- 354300x80000000000000001550688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.849{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59790- 354300x80000000000000001550687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.848{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local64076- 11241100x80000000000000002496238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.710{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.710{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBC495DB2B6F9FB717BE26823C2648C,SHA256=EBB1308EEE2799996862FA7E9FEEC74A905BD61FDDA2504014969C99807C7420falsefalse - insufficient disk space 354300x80000000000000001550686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.848{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62811- 354300x80000000000000001550685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.847{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51475- 354300x80000000000000001550684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.845{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62861- 354300x80000000000000001550683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.845{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61385- 354300x80000000000000001550682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.844{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local52675- 354300x80000000000000001550681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.843{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62815- 354300x80000000000000001550680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.842{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local52224- 354300x80000000000000001550679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.841{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local59012- 354300x80000000000000001550678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.840{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62737- 354300x80000000000000001550677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.839{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62472- 354300x80000000000000001550676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.839{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62093- 354300x80000000000000001550675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.838{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local64792- 354300x80000000000000001550674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.837{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local58227- 354300x80000000000000001550673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.837{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63905- 354300x80000000000000001550672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.836{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local61552- 354300x80000000000000001550671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.836{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local60672- 354300x80000000000000001550670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.834{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59659- 354300x80000000000000001550669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.833{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local52936- 354300x80000000000000001550668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.832{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59361- 354300x80000000000000001550667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.829{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61872- 354300x80000000000000001550666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.828{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local50780- 354300x80000000000000001550665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.826{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62598- 354300x80000000000000001550664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.825{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local58083- 354300x80000000000000001550663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.825{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local64772- 354300x80000000000000001550662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.824{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local50828- 354300x80000000000000001550661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.824{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58294- 354300x80000000000000001550660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.823{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domain 354300x80000000000000001550659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.823{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local52256- 354300x80000000000000001550658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.822{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51477- 354300x80000000000000001550657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.821{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63384- 354300x80000000000000001550656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.821{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63618- 354300x80000000000000001550655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.820{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local59383- 354300x80000000000000001550654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.820{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local49950- 354300x80000000000000001550653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.819{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62377- 354300x80000000000000001550652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.818{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61632- 354300x80000000000000001550651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.817{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51971- 354300x80000000000000001550650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.816{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local64275- 354300x80000000000000001550649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.815{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local60263- 354300x80000000000000001550648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62887- 354300x80000000000000001550647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-982.attackrange.local62887-false10.0.1.14win-dc-982.attackrange.local53domain 354300x80000000000000001550646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083- 354300x80000000000000001550645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domain 354300x80000000000000001550644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.806{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19379-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001550643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.806{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19379-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001550642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.805{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19378-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001550641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.805{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19378-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 23542300x80000000000000001550640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.270{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AE3F8AD13137861CF86811D85B5E718,SHA256=054FBC82EA553C1165030FE3FDD2AA513F3876FF1460EEA7A894BAECA6A4E981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.238{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.238{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F769CEA0EFCEC2C2B70620400D584DF4,SHA256=8E64FEF387F31E6EAA26A65A10DDD11FF8FC9A4872E32246ADA8EEE18193F3CDfalsefalse - insufficient disk space 11241100x80000000000000002496234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CD51D0E663F698B30B9FE2208539A0E,SHA256=D8491FCA13DF99232710D82B114C98D5FE2F38448D1891E913AD7E936DAE5A5Bfalsefalse - insufficient disk space 11241100x80000000000000002496243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.858{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002496242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.858{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002496241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.727{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.727{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767F046421803AC40EE01B46E502F8F,SHA256=CB855687F6F73CAE543BBFD2DB2CBFD03834FCD91C50E816E879161C36437772falsefalse - insufficient disk space 10341000x80000000000000001550692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002496239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.666{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50210-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.943{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.943{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BF9B5A456DBBEF1F7AB39A7D2E21A8,SHA256=8A71A84AEBD8B4E9A57C66FB87BC721303C60C6D4922D372F533AE317C493520falsefalse - insufficient disk space 10341000x80000000000000001550695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.078{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14774324D6E436DAF180F3528FC5D54E,SHA256=96924EA664872DEA4E21513DAACE750DADFB50CE3F8C48515A7FA4A6655F9790,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.859{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.859{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F769CEA0EFCEC2C2B70620400D584DF4,SHA256=8E64FEF387F31E6EAA26A65A10DDD11FF8FC9A4872E32246ADA8EEE18193F3CDfalsefalse - insufficient disk space 11241100x80000000000000002496252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.944{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.944{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881FAD7D76A44B0EF746144DDCC1CCA6,SHA256=70A5F66FE63BA1B471F5A8C87814B620F5BE547320E7CFBFE11A21B77804496Bfalsefalse - insufficient disk space 354300x80000000000000001550700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.663{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19380-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001550699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.240{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.240{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEEF23F3B71CE5556032DDF9119A5A,SHA256=0DE2C5A9EFD7C5B5D870A2FBB12A7DBB87945ACBC645B556782383E9DEB8C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002496250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.428{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-pingMD5=A8E5CF8EC46CA6DAFF6F289E4D735501,SHA256=7D1830BB8FAF897A059BC7CDF161DBF5BEC7BB0B24B17E1E68F4CDF44F326FE8falsefalse - insufficient disk space 11241100x80000000000000002496249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.428{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-ping.tmp2021-04-22 17:57:44.428 354300x80000000000000002496248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.330{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50211-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001550696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.129{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A709209D1B8CD78E4D8A3FB4D662BFCD,SHA256=79588BC98A9C1FBD9A42BCF9D11905A4EE925134CC11E35AE85727A387E50F67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.983{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.983{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C5AC4621482B48590011DCEE4DB2E0,SHA256=1311B0D56F836BAADE1E301C9EF51BEC1E56CB711B185B2A2BA6995679DE3399falsefalse - insufficient disk space 354300x80000000000000001550705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.689{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19381-false10.0.1.12-8000- 10341000x80000000000000001550704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.241{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.241{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=466A1A5D84EA91E32652BA928F1404E0,SHA256=F47FD5C37EC6811FB21B488FEE3938890CB847855EA4CABCEDCC8275E03E76F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.147{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3532B1BE63094DC6DCCB0E60F737777E,SHA256=4C91729454288F21214A3D64381EBF97FA868F2885AD9B9D898248D491EC5EDD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002496282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000002496281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000002496280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200081,25036313,19200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000002496279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,17134338,34968335,24131419,19677900,40920709,20039442,18409363,21378256,19972417,19200086,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,8254547,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,23729926,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077 12241200x80000000000000002496278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000002496277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000002496276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000002496275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000002496274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000002496273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000002496272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000002496271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000002496270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000002496269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000002496268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000002496267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\4DWORD (0x00000000) 12241200x80000000000000002496266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000002496265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000002496264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000002496263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000002496262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000002496261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000002496260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000002496259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000002496258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000002496257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000002496256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000002496255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000002496254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000002496253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 10341000x80000000000000001550708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.159{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5099C14859964A025DDD799C013A8,SHA256=15C2560F9A466BB7B76489D2D12CB5A804C3531083604156415FB336C53986AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.248{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.248{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B07E6FE1408E9E1E5EB5FE632AD9DFDC,SHA256=0B970F20F9B0FE8D1AE3789B1EAC1E1C5A9ADC66BF962A9D5883D83E9FC985A1falsefalse - insufficient disk space 11241100x80000000000000002496286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.081{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.081{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D25BB27738AF9769B2AA14A31944F3,SHA256=B9226F6FE4B6E80D7AE13544DEA69B80C7F06B12B4AA6166C8C72E3AEE2B5893falsefalse - insufficient disk space 10341000x80000000000000001550711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C10F10135D43CE2B3AB70DAF115E4F,SHA256=1666AEA4916B2F9867B789529CE01DE5469BFC9B00F79385F2A9B00E29F9D691,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.687{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50212-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:48.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:48.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46218DB07FCA67E31AE0394787180B27,SHA256=0822904315D0D208F8CAEC16BF7AE1D6C8EB671E7117D35B0FF6417B94F6F01Cfalsefalse - insufficient disk space 354300x80000000000000001550716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.560{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19382-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001550715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.243{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.243{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.167{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EF394B4091142334E0189B650EB333,SHA256=3A0608DDE255B5EEDC03B7E531692B731E607FC99DC480A42E6CC9B6E7F97020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.037{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBF0865AA9D156E45AC2AB085C72765,SHA256=0BE6A9262432811F90F76AAFE35D26CED461BDA12F5F4675C90393EFFAF86400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.244{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.244{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.173{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527329CC9CACF8E868EB0CE736C7E29,SHA256=54D5F53973994C61EC3B4BCEAEFAD3D2E1FC26AF7C46B7E65B378B86878BC654,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400593_WINWORD.EXE_6156_2428_1323.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1322.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1321.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1320.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400595_WINWORD.EXE_6156_2428_1319.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400595_WINWORD.EXE_6156_2428_1318.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400596_WINWORD.EXE_6156_2428_1317.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400596_WINWORD.EXE_6156_2428_1316.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400597_WINWORD.EXE_6156_2428_1315.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400597_WINWORD.EXE_6156_2428_1314.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400600_WINWORD.EXE_6156_2428_1313.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.991{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400601_WINWORD.EXE_6156_2428_1312.dmp2021-04-22 17:57:49.991 11241100x80000000000000002496772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.991{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400601_WINWORD.EXE_6156_2428_1311.dmp2021-04-22 17:57:49.991 11241100x80000000000000002496771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.990{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400602_WINWORD.EXE_6156_2428_1310.dmp2021-04-22 17:57:49.990 11241100x80000000000000002496770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.990{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400602_WINWORD.EXE_6156_2428_1309.dmp2021-04-22 17:57:49.990 11241100x80000000000000002496769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.989{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400603_WINWORD.EXE_6156_2428_1308.dmp2021-04-22 17:57:49.989 11241100x80000000000000002496768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.989{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400603_WINWORD.EXE_6156_2428_1307.dmp2021-04-22 17:57:49.989 11241100x80000000000000002496767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.988{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400604_WINWORD.EXE_6156_2428_1306.dmp2021-04-22 17:57:49.988 11241100x80000000000000002496766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.988{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400604_WINWORD.EXE_6156_2428_1305.dmp2021-04-22 17:57:49.988 11241100x80000000000000002496765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.987{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400605_WINWORD.EXE_6156_2428_1304.dmp2021-04-22 17:57:49.987 11241100x80000000000000002496764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.987{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400605_WINWORD.EXE_6156_2428_1303.dmp2021-04-22 17:57:49.987 11241100x80000000000000002496763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.986{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400606_WINWORD.EXE_6156_2428_1302.dmp2021-04-22 17:57:49.986 11241100x80000000000000002496762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400606_WINWORD.EXE_6156_2428_1301.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1300.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1299.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1298.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400608_WINWORD.EXE_6156_2428_1297.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400608_WINWORD.EXE_6156_2428_1296.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400609_WINWORD.EXE_6156_2428_1295.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400609_WINWORD.EXE_6156_2428_1294.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400610_WINWORD.EXE_6156_2428_1293.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400610_WINWORD.EXE_6156_2428_1292.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1291.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1290.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1289.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400612_WINWORD.EXE_6156_2428_1288.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400612_WINWORD.EXE_6156_2428_1287.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400613_WINWORD.EXE_6156_2428_1286.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400613_WINWORD.EXE_6156_2428_1285.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400614_WINWORD.EXE_6156_2428_1284.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400614_WINWORD.EXE_6156_2428_1283.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400615_WINWORD.EXE_6156_2428_1282.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400615_WINWORD.EXE_6156_2428_1281.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1280.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1279.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1278.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400617_WINWORD.EXE_6156_2428_1277.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400617_WINWORD.EXE_6156_2428_1276.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400618_WINWORD.EXE_6156_2428_1275.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400618_WINWORD.EXE_6156_2428_1274.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400619_WINWORD.EXE_6156_2428_1273.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400619_WINWORD.EXE_6156_2428_1272.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1271.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1270.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1269.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400621_WINWORD.EXE_6156_2428_1268.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400621_WINWORD.EXE_6156_2428_1267.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400622_WINWORD.EXE_6156_2428_1266.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400622_WINWORD.EXE_6156_2428_1265.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400626_WINWORD.EXE_6156_2428_1264.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400626_WINWORD.EXE_6156_2428_1263.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400627_WINWORD.EXE_6156_2428_1262.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400627_WINWORD.EXE_6156_2428_1261.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400628_WINWORD.EXE_6156_2428_1260.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400628_WINWORD.EXE_6156_2428_1259.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400629_WINWORD.EXE_6156_2428_1258.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400629_WINWORD.EXE_6156_2428_1257.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400630_WINWORD.EXE_6156_2428_1256.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400630_WINWORD.EXE_6156_2428_1255.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400631_WINWORD.EXE_6156_2428_1254.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400631_WINWORD.EXE_6156_2428_1253.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1252.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1251.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1250.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400633_WINWORD.EXE_6156_2428_1249.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400633_WINWORD.EXE_6156_2428_1248.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400634_WINWORD.EXE_6156_2428_1247.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400634_WINWORD.EXE_6156_2428_1246.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1245.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1244.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1243.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400636_WINWORD.EXE_6156_2428_1242.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400636_WINWORD.EXE_6156_2428_1241.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400637_WINWORD.EXE_6156_2428_1240.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1239.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1238.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1237.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400639_WINWORD.EXE_6156_2428_1236.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400639_WINWORD.EXE_6156_2428_1235.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400640_WINWORD.EXE_6156_2428_1234.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400640_WINWORD.EXE_6156_2428_1233.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400641_WINWORD.EXE_6156_2428_1232.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400641_WINWORD.EXE_6156_2428_1231.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1230.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1229.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1228.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400643_WINWORD.EXE_6156_2428_1227.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400643_WINWORD.EXE_6156_2428_1226.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400644_WINWORD.EXE_6156_2428_1225.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400644_WINWORD.EXE_6156_2428_1224.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1223.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1222.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1221.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400646_WINWORD.EXE_6156_2428_1220.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400646_WINWORD.EXE_6156_2428_1219.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400647_WINWORD.EXE_6156_2428_1218.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400647_WINWORD.EXE_6156_2428_1217.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400648_WINWORD.EXE_6156_2428_1216.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400648_WINWORD.EXE_6156_2428_1215.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1214.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1213.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1212.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400650_WINWORD.EXE_6156_2428_1211.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400650_WINWORD.EXE_6156_2428_1210.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400651_WINWORD.EXE_6156_2428_1209.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400651_WINWORD.EXE_6156_2428_1208.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400652_WINWORD.EXE_6156_2428_1207.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400652_WINWORD.EXE_6156_2428_1206.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400653_WINWORD.EXE_6156_2428_1205.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400653_WINWORD.EXE_6156_2428_1204.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1203.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1202.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1201.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400655_WINWORD.EXE_6156_2428_1200.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400655_WINWORD.EXE_6156_2428_1199.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400656_WINWORD.EXE_6156_2428_1198.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400656_WINWORD.EXE_6156_2428_1197.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1196.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1195.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1194.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400658_WINWORD.EXE_6156_2428_1193.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400658_WINWORD.EXE_6156_2428_1192.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400659_WINWORD.EXE_6156_2428_1191.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400659_WINWORD.EXE_6156_2428_1190.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400660_WINWORD.EXE_6156_2428_1189.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400660_WINWORD.EXE_6156_2428_1188.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1187.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1186.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1185.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400662_WINWORD.EXE_6156_2428_1184.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400662_WINWORD.EXE_6156_2428_1183.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400663_WINWORD.EXE_6156_2428_1182.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400663_WINWORD.EXE_6156_2428_1181.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400664_WINWORD.EXE_6156_2428_1180.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000002496639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400665_WINWORD.EXE_6156_2428_1179.dmp2021-04-22 17:57:49.924 23542300x80000000000000002496638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6971FB364A414FCDF489D1EA168588,SHA256=39DD8D4FA63E443DC8A7A69AE899A48A5631DAC86880C7DB45065D85EF673BEAfalsefalse - insufficient disk space 11241100x80000000000000002496637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400665_WINWORD.EXE_6156_2428_1178.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400666_WINWORD.EXE_6156_2428_1177.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400666_WINWORD.EXE_6156_2428_1176.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400667_WINWORD.EXE_6156_2428_1175.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400667_WINWORD.EXE_6156_2428_1174.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400668_WINWORD.EXE_6156_2428_1173.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400669_WINWORD.EXE_6156_2428_1172.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400669_WINWORD.EXE_6156_2428_1171.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1170.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1169.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1168.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400671_WINWORD.EXE_6156_2428_1167.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400671_WINWORD.EXE_6156_2428_1166.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400672_WINWORD.EXE_6156_2428_1165.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400672_WINWORD.EXE_6156_2428_1164.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400673_WINWORD.EXE_6156_2428_1163.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400673_WINWORD.EXE_6156_2428_1162.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400674_WINWORD.EXE_6156_2428_1161.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400674_WINWORD.EXE_6156_2428_1160.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1159.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1158.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1157.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400676_WINWORD.EXE_6156_2428_1156.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400676_WINWORD.EXE_6156_2428_1155.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400677_WINWORD.EXE_6156_2428_1154.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400677_WINWORD.EXE_6156_2428_1153.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400678_WINWORD.EXE_6156_2428_1152.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400678_WINWORD.EXE_6156_2428_1151.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400679_WINWORD.EXE_6156_2428_1150.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400679_WINWORD.EXE_6156_2428_1149.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1148.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1147.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1146.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400681_WINWORD.EXE_6156_2428_1145.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400681_WINWORD.EXE_6156_2428_1144.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400682_WINWORD.EXE_6156_2428_1143.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400682_WINWORD.EXE_6156_2428_1142.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400683_WINWORD.EXE_6156_2428_1141.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400683_WINWORD.EXE_6156_2428_1140.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400684_WINWORD.EXE_6156_2428_1139.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400684_WINWORD.EXE_6156_2428_1138.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1137.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1136.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1135.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400686_WINWORD.EXE_6156_2428_1134.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400686_WINWORD.EXE_6156_2428_1133.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400687_WINWORD.EXE_6156_2428_1132.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400687_WINWORD.EXE_6156_2428_1131.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400688_WINWORD.EXE_6156_2428_1130.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400688_WINWORD.EXE_6156_2428_1129.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400689_WINWORD.EXE_6156_2428_1128.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400689_WINWORD.EXE_6156_2428_1127.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400690_WINWORD.EXE_6156_2428_1126.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400690_WINWORD.EXE_6156_2428_1125.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1124.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1123.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1122.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400692_WINWORD.EXE_6156_2428_1121.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400692_WINWORD.EXE_6156_2428_1120.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400693_WINWORD.EXE_6156_2428_1119.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400693_WINWORD.EXE_6156_2428_1118.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400694_WINWORD.EXE_6156_2428_1117.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400694_WINWORD.EXE_6156_2428_1116.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1115.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1114.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1113.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400696_WINWORD.EXE_6156_2428_1112.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400696_WINWORD.EXE_6156_2428_1111.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400697_WINWORD.EXE_6156_2428_1110.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400697_WINWORD.EXE_6156_2428_1109.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400698_WINWORD.EXE_6156_2428_1108.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400698_WINWORD.EXE_6156_2428_1107.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400699_WINWORD.EXE_6156_2428_1106.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400699_WINWORD.EXE_6156_2428_1105.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400700_WINWORD.EXE_6156_2428_1104.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400700_WINWORD.EXE_6156_2428_1103.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400701_WINWORD.EXE_6156_2428_1102.dmp2021-04-22 17:57:49.891 11241100x80000000000000002496560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.891{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400701_WINWORD.EXE_6156_2428_1101.dmp2021-04-22 17:57:49.891 11241100x80000000000000002496559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.891{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0938A88F4CC516E9B8081255DEE04B3,SHA256=AD7F7A8B902A6E4F69EB8C919B93D9B178B6F9684DD30CD2AB36AC56AE8C7F64falsefalse - insufficient disk space 11241100x80000000000000002496557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400702_WINWORD.EXE_6156_2428_1100.dmp2021-04-22 17:57:49.890 11241100x80000000000000002496556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400702_WINWORD.EXE_6156_2428_1099.dmp2021-04-22 17:57:49.889 11241100x80000000000000002496555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.889{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400703_WINWORD.EXE_6156_2428_1098.dmp2021-04-22 17:57:49.889 11241100x80000000000000002496554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.888{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400704_WINWORD.EXE_6156_2428_1097.dmp2021-04-22 17:57:49.888 11241100x80000000000000002496553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.888{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400704_WINWORD.EXE_6156_2428_1096.dmp2021-04-22 17:57:49.888 11241100x80000000000000002496552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.887{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400705_WINWORD.EXE_6156_2428_1095.dmp2021-04-22 17:57:49.887 11241100x80000000000000002496551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.886{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400705_WINWORD.EXE_6156_2428_1094.dmp2021-04-22 17:57:49.886 11241100x80000000000000002496550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.886{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400706_WINWORD.EXE_6156_2428_1093.dmp2021-04-22 17:57:49.886 11241100x80000000000000002496549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400706_WINWORD.EXE_6156_2428_1092.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400707_WINWORD.EXE_6156_2428_1091.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400707_WINWORD.EXE_6156_2428_1090.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400708_WINWORD.EXE_6156_2428_1089.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400708_WINWORD.EXE_6156_2428_1088.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1087.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1086.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1085.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400710_WINWORD.EXE_6156_2428_1084.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400710_WINWORD.EXE_6156_2428_1083.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400711_WINWORD.EXE_6156_2428_1082.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400711_WINWORD.EXE_6156_2428_1081.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400712_WINWORD.EXE_6156_2428_1080.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400712_WINWORD.EXE_6156_2428_1079.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1078.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1077.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1076.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400714_WINWORD.EXE_6156_2428_1075.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400714_WINWORD.EXE_6156_2428_1074.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400715_WINWORD.EXE_6156_2428_1073.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400715_WINWORD.EXE_6156_2428_1072.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400716_WINWORD.EXE_6156_2428_1071.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400716_WINWORD.EXE_6156_2428_1070.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1069.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1068.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1067.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400718_WINWORD.EXE_6156_2428_1066.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400718_WINWORD.EXE_6156_2428_1065.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400719_WINWORD.EXE_6156_2428_1064.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400719_WINWORD.EXE_6156_2428_1063.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400720_WINWORD.EXE_6156_2428_1062.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400720_WINWORD.EXE_6156_2428_1061.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1060.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1059.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1058.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400722_WINWORD.EXE_6156_2428_1057.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400722_WINWORD.EXE_6156_2428_1056.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400723_WINWORD.EXE_6156_2428_1055.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400723_WINWORD.EXE_6156_2428_1054.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400724_WINWORD.EXE_6156_2428_1053.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400724_WINWORD.EXE_6156_2428_1052.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1051.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1050.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1049.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400726_WINWORD.EXE_6156_2428_1048.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400726_WINWORD.EXE_6156_2428_1047.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400727_WINWORD.EXE_6156_2428_1046.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400727_WINWORD.EXE_6156_2428_1045.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1044.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1043.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1042.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400729_WINWORD.EXE_6156_2428_1041.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400729_WINWORD.EXE_6156_2428_1040.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400730_WINWORD.EXE_6156_2428_1039.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400730_WINWORD.EXE_6156_2428_1038.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400731_WINWORD.EXE_6156_2428_1037.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400731_WINWORD.EXE_6156_2428_1036.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1035.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1034.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1033.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400733_WINWORD.EXE_6156_2428_1032.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400733_WINWORD.EXE_6156_2428_1031.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400734_WINWORD.EXE_6156_2428_1030.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400734_WINWORD.EXE_6156_2428_1029.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1028.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1027.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1026.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400736_WINWORD.EXE_6156_2428_1025.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400736_WINWORD.EXE_6156_2428_1024.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400737_WINWORD.EXE_6156_2428_1023.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400737_WINWORD.EXE_6156_2428_1022.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400738_WINWORD.EXE_6156_2428_1021.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400738_WINWORD.EXE_6156_2428_1020.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400739_WINWORD.EXE_6156_2428_1019.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400739_WINWORD.EXE_6156_2428_1018.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400740_WINWORD.EXE_6156_2428_1017.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400740_WINWORD.EXE_6156_2428_1016.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1015.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1014.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1013.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400742_WINWORD.EXE_6156_2428_1012.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400742_WINWORD.EXE_6156_2428_1011.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400743_WINWORD.EXE_6156_2428_1010.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400743_WINWORD.EXE_6156_2428_1009.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400747_WINWORD.EXE_6156_2428_1008.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400747_WINWORD.EXE_6156_2428_1007.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400748_WINWORD.EXE_6156_2428_1006.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400748_WINWORD.EXE_6156_2428_1005.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1004.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1003.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1002.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400750_WINWORD.EXE_6156_2428_1001.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400750_WINWORD.EXE_6156_2428_1000.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400751_WINWORD.EXE_6156_2428_999.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400751_WINWORD.EXE_6156_2428_998.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400752_WINWORD.EXE_6156_2428_997.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400752_WINWORD.EXE_6156_2428_996.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_995.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_994.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_993.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400754_WINWORD.EXE_6156_2428_992.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400754_WINWORD.EXE_6156_2428_991.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400755_WINWORD.EXE_6156_2428_990.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400755_WINWORD.EXE_6156_2428_989.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400756_WINWORD.EXE_6156_2428_988.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400756_WINWORD.EXE_6156_2428_987.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_986.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_985.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_984.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400758_WINWORD.EXE_6156_2428_983.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400758_WINWORD.EXE_6156_2428_982.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400759_WINWORD.EXE_6156_2428_981.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400759_WINWORD.EXE_6156_2428_980.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400760_WINWORD.EXE_6156_2428_979.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400760_WINWORD.EXE_6156_2428_978.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_977.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_976.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_975.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400762_WINWORD.EXE_6156_2428_974.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400762_WINWORD.EXE_6156_2428_973.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400763_WINWORD.EXE_6156_2428_972.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400763_WINWORD.EXE_6156_2428_971.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400764_WINWORD.EXE_6156_2428_970.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400764_WINWORD.EXE_6156_2428_969.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_968.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_967.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_966.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400766_WINWORD.EXE_6156_2428_965.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400766_WINWORD.EXE_6156_2428_964.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400767_WINWORD.EXE_6156_2428_963.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400767_WINWORD.EXE_6156_2428_962.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400768_WINWORD.EXE_6156_2428_961.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400768_WINWORD.EXE_6156_2428_960.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400769_WINWORD.EXE_6156_2428_959.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400769_WINWORD.EXE_6156_2428_958.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_957.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_956.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_955.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400771_WINWORD.EXE_6156_2428_954.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400771_WINWORD.EXE_6156_2428_953.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400772_WINWORD.EXE_6156_2428_952.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400772_WINWORD.EXE_6156_2428_951.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_950.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_949.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_948.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400774_WINWORD.EXE_6156_2428_947.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400774_WINWORD.EXE_6156_2428_946.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400775_WINWORD.EXE_6156_2428_945.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400775_WINWORD.EXE_6156_2428_944.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400776_WINWORD.EXE_6156_2428_943.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400776_WINWORD.EXE_6156_2428_942.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400777_WINWORD.EXE_6156_2428_941.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400777_WINWORD.EXE_6156_2428_940.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_939.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_938.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_937.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400779_WINWORD.EXE_6156_2428_936.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400779_WINWORD.EXE_6156_2428_935.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400780_WINWORD.EXE_6156_2428_934.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400780_WINWORD.EXE_6156_2428_933.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400781_WINWORD.EXE_6156_2428_932.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400781_WINWORD.EXE_6156_2428_931.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400782_WINWORD.EXE_6156_2428_930.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400782_WINWORD.EXE_6156_2428_929.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400783_WINWORD.EXE_6156_2428_928.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400783_WINWORD.EXE_6156_2428_927.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400784_WINWORD.EXE_6156_2428_926.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400784_WINWORD.EXE_6156_2428_925.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_924.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_923.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_922.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400786_WINWORD.EXE_6156_2428_921.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400786_WINWORD.EXE_6156_2428_920.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400787_WINWORD.EXE_6156_2428_919.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400787_WINWORD.EXE_6156_2428_918.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400788_WINWORD.EXE_6156_2428_917.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400788_WINWORD.EXE_6156_2428_916.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_915.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_914.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_913.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400790_WINWORD.EXE_6156_2428_912.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400790_WINWORD.EXE_6156_2428_911.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400791_WINWORD.EXE_6156_2428_910.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400791_WINWORD.EXE_6156_2428_909.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400792_WINWORD.EXE_6156_2428_908.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400792_WINWORD.EXE_6156_2428_907.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400793_WINWORD.EXE_6156_2428_906.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400793_WINWORD.EXE_6156_2428_905.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_904.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_903.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_902.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400795_WINWORD.EXE_6156_2428_901.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400795_WINWORD.EXE_6156_2428_900.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400796_WINWORD.EXE_6156_2428_899.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400796_WINWORD.EXE_6156_2428_898.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400797_WINWORD.EXE_6156_2428_897.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400797_WINWORD.EXE_6156_2428_896.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_895.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_894.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_893.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400799_WINWORD.EXE_6156_2428_892.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400799_WINWORD.EXE_6156_2428_891.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400800_WINWORD.EXE_6156_2428_890.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400800_WINWORD.EXE_6156_2428_889.dmp2021-04-22 17:57:49.791 11241100x80000000000000002496345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.791{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400801_WINWORD.EXE_6156_2428_888.dmp2021-04-22 17:57:49.791 11241100x80000000000000002496344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.791{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400801_WINWORD.EXE_6156_2428_887.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_886.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_885.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_884.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.789{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400803_WINWORD.EXE_6156_2428_883.dmp2021-04-22 17:57:49.789 11241100x80000000000000002496339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.789{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400803_WINWORD.EXE_6156_2428_882.dmp2021-04-22 17:57:49.789 11241100x80000000000000002496338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.788{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400804_WINWORD.EXE_6156_2428_881.dmp2021-04-22 17:57:49.788 11241100x80000000000000002496337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.788{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400804_WINWORD.EXE_6156_2428_880.dmp2021-04-22 17:57:49.788 11241100x80000000000000002496336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.787{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400805_WINWORD.EXE_6156_2428_879.dmp2021-04-22 17:57:49.787 11241100x80000000000000002496335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.787{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400805_WINWORD.EXE_6156_2428_878.dmp2021-04-22 17:57:49.787 11241100x80000000000000002496334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.786{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400806_WINWORD.EXE_6156_2428_877.dmp2021-04-22 17:57:49.786 11241100x80000000000000002496333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.786{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400806_WINWORD.EXE_6156_2428_876.dmp2021-04-22 17:57:49.786 11241100x80000000000000002496332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400807_WINWORD.EXE_6156_2428_875.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400807_WINWORD.EXE_6156_2428_874.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_873.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_872.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_871.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400809_WINWORD.EXE_6156_2428_870.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400809_WINWORD.EXE_6156_2428_869.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400810_WINWORD.EXE_6156_2428_868.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400810_WINWORD.EXE_6156_2428_867.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400811_WINWORD.EXE_6156_2428_866.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400811_WINWORD.EXE_6156_2428_865.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400812_WINWORD.EXE_6156_2428_864.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400812_WINWORD.EXE_6156_2428_863.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_862.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_861.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_860.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400814_WINWORD.EXE_6156_2428_859.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400814_WINWORD.EXE_6156_2428_858.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400815_WINWORD.EXE_6156_2428_857.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400815_WINWORD.EXE_6156_2428_856.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400816_WINWORD.EXE_6156_2428_855.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400816_WINWORD.EXE_6156_2428_854.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_853.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_852.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_851.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400818_WINWORD.EXE_6156_2428_850.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400818_WINWORD.EXE_6156_2428_849.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400819_WINWORD.EXE_6156_2428_848.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400819_WINWORD.EXE_6156_2428_847.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400820_WINWORD.EXE_6156_2428_846.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400820_WINWORD.EXE_6156_2428_845.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400821_WINWORD.EXE_6156_2428_844.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400821_WINWORD.EXE_6156_2428_843.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400822_WINWORD.EXE_6156_2428_842.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400822_WINWORD.EXE_6156_2428_841.dmp2021-04-22 17:57:49.770 10341000x80000000000000002496297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002496296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-B7F2-6081-6F86-00000000BB01}61562428C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c98f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d457|UNKNOWN(000001482C8CB72A) 154100x80000000000000002496295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.769{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exeC:\Windows\SysWOW64\cscript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=25F006365CE5690FE06550D634FE36A1,SHA256=873A28C3A6D1D6278B4FA422F65FADF18150301D31B9AFA694BDB5E3BD6A165D{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\asr_atomic.dotm 11241100x80000000000000002496294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400825_WINWORD.EXE_6156_2428_840.dmp2021-04-22 17:57:49.754 11241100x80000000000000002496293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.122{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.122{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D308C73C5A8E267F043FEBA5AD3368AE,SHA256=534B565FFD4DF7E79094FB70BA0FEA0C2BFF7BB03197D56D59AB8B903AABF291falsefalse - insufficient disk space 23542300x80000000000000001550723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.660{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.182{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E1D101AC6611BEF62BD4F839338A48,SHA256=D2DDD2AE2D6344D1BFBEB9FD8453A6DEC3726B4CF7972F60517E88F295D423A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.823{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.823{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23AA3A3DD710656A0798D7FA7C55BC33,SHA256=6FCDA09338A3444D8C69587186D8AE12FCF5142D8B245714A61B1370CED7555Ffalsefalse - insufficient disk space 12241200x80000000000000002497276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 11241100x80000000000000002497275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002497274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 23542300x80000000000000002497273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B512CBAB2D23B7155AC0B2B30DDA56,SHA256=3A129708420FB7CDFA9493E1BA58568A8D3DB7E67F51D935225ACC85B083AD8Bfalsefalse - insufficient disk space 734700x80000000000000002497272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000002497271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000002497270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000002497269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000002497268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000002497267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002497266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000002497265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002497264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000002497263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000002497262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000002497261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000002497260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 10341000x80000000000000002497259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000002497257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002497256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000002497255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000002497254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000002497253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002497252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000002497251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000002497250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000002497249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000002497248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000002497247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000002497246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000002497245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000002497244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000002497243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000002497242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000002497241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000002497240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000002497239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 10341000x80000000000000002497238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000002497235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000002497234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000002497233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002497232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x80000000000000002497231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002497230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002497229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 11241100x80000000000000002497228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002497227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 23542300x80000000000000002497226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B22558DFDF994E29830B35852DB21,SHA256=D358D200C0BC193A4D787B50FA524CC819E8EE4E6BBB322BFB657A4DC1594B1Bfalsefalse - insufficient disk space 734700x80000000000000002497225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002497224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000002497223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002497222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002497221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002497220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002497219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002497218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002497217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002497216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002497215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002497214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 13241300x80000000000000002497213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E\VirtualDesktopBinary Data 12241200x80000000000000002497205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E 10341000x80000000000000002497204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002497201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000002497198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002497192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002497191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-83AE-607D-1600-00000000BB01}11082420C:\Windows\system32\svchost.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002497188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002497187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002497185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002497183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002497182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002497181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002497180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428216C:\Windows\system32\conhost.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002497178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002497176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002497173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002497164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002497163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002497162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002497158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.205{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\cscript.exe 734700x80000000000000002497157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002497156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)