354300x80000000000000001550570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:17.642{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19371-false10.0.1.12-8000- 23542300x80000000000000001550569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:23.660{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F9067D9D1D487A5E8E248F0BA560E7,SHA256=F253A5C35AEDBBE560FE968B37E864487F5FC289A97AD80C49D0E3A8811E3EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.673{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FE1AB06B0519CF0FAF1FBE9BD2EFA,SHA256=3FBE85EDAEC8065BB8AC017444A52CEFD57E9EC7F69E6E5FCF6F8BD867A51917,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.138{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.138{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E47D8F43DDD1256D2646E8EDE1950,SHA256=2B875D525735358A1528956FD99D77EF4772C91EF2F1BB6C63DF6015ADF4F752falsefalse - insufficient disk space 10341000x80000000000000001550572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:24.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.679{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54A6258440743450374E3FE6D4CA1A9,SHA256=405F2550FC7F7F0AA233963F27B8F630292FF3ED76A5A9772A148C4E51DC5774,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:25.141{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:25.141{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238EB56ABAC657B73D2851065D28BB85,SHA256=1AB8AED7833543D6A8C7A9B2469673F1E0A33BDC002E707A755168BC7FC7E747falsefalse - insufficient disk space 10341000x80000000000000001550575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.226{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.680{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE4956ACF325E456DA226F6E6F5FB3,SHA256=1E17B1EE3B55F22CC38CBA20BE468CCB4CCAD2E7AE6EF13D6FC0518283C70E6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:24.650{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50207-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.243{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.243{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E600EEFF894F70E9F26B6B632345FB,SHA256=BD6804C1AC07078F4964527BA3A3A9FBF43736DB8E0F77B5F062034C6CEAFA29falsefalse - insufficient disk space 10341000x80000000000000001550578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.227{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:26.227{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.228{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:26.228{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251B4C5EEBE8789F526DC22CED464D9B,SHA256=CFC04AAE10BA1B355CC7185CCBA49AFB69A50FF79CD970FEC978AAA4014AE81Afalsefalse - insufficient disk space 23542300x80000000000000001550582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.690{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64802107FF599DC138B3633D5C02B74,SHA256=B5A526030E4E9F4C5A3CCE66BE70E2FB210233C0105B343FCD1A3DE59FE34BC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:27.246{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:27.246{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3550F65643ED41DD698F992DF04B343B,SHA256=9E1E9BD9B6F99980DEE79F869F896FF4E40ADCC3E335DB6AEBD9D79EFC368A7Efalsefalse - insufficient disk space 10341000x80000000000000001550581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:27.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:22.775{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19372-false10.0.1.12-8000- 23542300x80000000000000001550587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.693{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F11BBE404E9B5D3AF240E7C1C71EFE,SHA256=B609222FDACB704418EB154C9BB03519633DA04D89F2ECE1F3C2025651C5D0DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:28.248{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:28.248{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C12BE9C6448D6B74683E48A4DF31908,SHA256=B7BBA28369E9C22AB0CBDF08078D56E3FAEF10E891349FFDBE171F5BBD90AEB4falsefalse - insufficient disk space 23542300x80000000000000001550586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.241{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8395E362765C047E33365565B4CBE346,SHA256=65957000AF7D8D8520B7C29F168E8EF48E28D12F5EF7F0FCAC14746372175913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.240{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1732CB889C896C15D1DE4551DAD957CE,SHA256=84ED1D126AF069A2A2859440F03F396965A1EFBCB69578C5AC606E40B78859EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.228{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.696{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFC26619BF676FD6A6E8386F5868F8E,SHA256=8CA98D290CC40D574F5B798ED36D4FC3FCDAACDBD582F814B72BEC45EA5AE3FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.250{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.250{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D532B207575EEB6EDD41D8B01D8107,SHA256=886B255DA9F21994376C74967256A8A202E46FE661A7EE52C727FEB871447C88falsefalse - insufficient disk space 10341000x80000000000000001550590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.699{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D38532B7719222C8888B37417E00E77,SHA256=88FBD38C20DCEA7ABD2EFC1DCF045AD0E4E13EE12FD78C2E7D908CE09E2EB100,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:30.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:30.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC6F8582B6B9C2060CE6099E692E621,SHA256=3A5D6EA30AB53DD29B467AAD99B67ED171B5E692CBABF44C7B80CC302278BA23falsefalse - insufficient disk space 10341000x80000000000000001550593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:30.229{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.588{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19373-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001550599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:25.588{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19373-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001550598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.706{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F347309222D7F2F8EDEA59C30E7CDAD,SHA256=AD3868D65510C80C4CBC490D75804F4235DBF1C5D9B863DA76F2DB484188DB35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:29.662{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50208-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C065B773603B1579CC1BCE31A0848888,SHA256=1AC391E2FBE74365025B4A2C95475976B3F59FB2B2337EAC0767FCC29D6FC5CFfalsefalse - insufficient disk space 10341000x80000000000000001550597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.230{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.230{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:31.053{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8395E362765C047E33365565B4CBE346,SHA256=65957000AF7D8D8520B7C29F168E8EF48E28D12F5EF7F0FCAC14746372175913,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=623B95774ACACD7361B67800A409AF4A,SHA256=8F46AAA275A030CDE1805D9A7E284CD109EF0CE5373C7F3F7EB7D12437BCBD28falsefalse - insufficient disk space 11241100x80000000000000002496206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:31.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49C6F7DB3474376B588AE8AAC6C8BCD,SHA256=A04661F0B0ABF3C92FCC0179F3D15143E92C978B265A5553916F0A155B1F7F27falsefalse - insufficient disk space 23542300x80000000000000001550603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.722{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EB0ADD3E9112B80FF13E970DA0E809,SHA256=C98F02FA82673A53AC5733A4595CC0A69F50C4F395B8E4224853D81FE1D48636,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:32.374{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:32.374{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D4B2E1E7011C0688D596563A929EE3,SHA256=EE5F7A6C4468F060FF74731BC510BC2D77E8EEDD12FD4979D5A3C46975FDBB7Bfalsefalse - insufficient disk space 10341000x80000000000000001550602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.231{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:32.231{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.074{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19374-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001550608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.074{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19374-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 23542300x80000000000000001550607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.729{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C3D7D15B8B48558FF0995EC9207A37,SHA256=0B52B964FB0C951DB5C970C2BFD4B7BBF829BB3F005C0A39656DFC8DA3832D95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:33.408{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:33.408{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E0216BA426E7EC2C02A217DA671C30,SHA256=CB66A8BAE289C58DA46735CBF6B8137744A05880FAD5BF858561C6A243EBCD23falsefalse - insufficient disk space 23542300x80000000000000001550606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.538{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=789F5CC6DBC874DE8C2A2B70FA6D561B,SHA256=37A5B8ADF0E036DD7B248AEE63149FCAC0B8A6517EE02ABDD7DF43A5B024F7AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.232{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:33.232{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.439{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.439{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB72DE946258A9D9CA8E7BDA28D5F2,SHA256=C645F6C48F02F8E45EDBA56C305D17123DF1EDC3878F9CB75788EC0F6018AA0Efalsefalse - insufficient disk space 354300x80000000000000001550614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:28.673{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19375-false10.0.1.12-8000- 23542300x80000000000000001550613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B53E513825880FFE69E5E168E9493C4,SHA256=55AF0BC6AEB521B961A0C733B806677435B9EC7CAB493FBC245880DBA8FD704F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.748{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46EC3837CC6503DF49B8E551B72671A,SHA256=C4BC8FD1F3AA067BF2F6464A46A90E70C941D616D14047DCC50FDD4B5F86915E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.233{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.233{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.757{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FF6985910946E20E868A11C213169C,SHA256=57DCFC807333281D5157FAA927C853853F2EF0ADFF0ACA43261BD42CEB91B74E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:35.439{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:35.439{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2581C92E1D62DF9AAA8FD63BB822BE1D,SHA256=090CA628D6A718100DB954C854334958CA91724C1182AA2A76FA511FF6A0C13Dfalsefalse - insufficient disk space 10341000x80000000000000001550616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.234{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.234{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:29.323{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19376-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001550620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D016F6100C82A91EA7BAB1E4EF625D0E,SHA256=5E7886BC9C6034E4ADFD9A62D5375A36FCCB82EBDEC18E69008E14D0AE64268F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.523{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.523{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981323B55DA3B35182126167AAF052D3,SHA256=486916697D4AA9D4732DBD3CC26D1A9B9FDD2C2F9C1371CC3BE03093E698D111falsefalse - insufficient disk space 10341000x80000000000000001550619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:36.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.223{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:36.223{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=623B95774ACACD7361B67800A409AF4A,SHA256=8F46AAA275A030CDE1805D9A7E284CD109EF0CE5373C7F3F7EB7D12437BCBD28falsefalse - insufficient disk space 23542300x80000000000000001550624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.765{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D932594584DC671E6B6A58763B97939E,SHA256=0AC318B8276528CFCD144547C3AAB8FFF58EADC833A58F34863F6D878F7AF271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:34.664{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50209-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:37.539{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:37.539{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506F06068119A44B7E25EBD9E545E218,SHA256=5A898F916EC488F756F88F13E1B7F730A4A0BFDCC4F276E22106C1E315AD4F43falsefalse - insufficient disk space 10341000x80000000000000001550623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:37.235{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.769{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F0ED3F9B26A2AE2F7711A30A1D005D,SHA256=657201D5813DFC2AD159A3651317F30FE29719B170224CC2FF24755A5521A03D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:38.539{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:38.539{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DE49122B2CDB1F288576C324B854BF,SHA256=64A1BB790FB7617B24CE44DF90424A6897760834DCA99D5FCDA1B7BAA751FD39falsefalse - insufficient disk space 10341000x80000000000000001550626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB42E2030F4C1E2AFD2C4ADAF472D80D,SHA256=13B288961AAE6FA764836B3EBF4EF740291B8E7C16FE496CE4F6C67E0D8C33DCfalsefalse - insufficient disk space 23542300x80000000000000001550630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.773{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBEBFFC33A6B3FC111BD0066F4B20D3,SHA256=B022F1797FA6DED777A16CFAD2DB610DB8A3143188CE7CA58C8895D17AD6741A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.236{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:34.557{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19377-false10.0.1.12-8000- 23542300x80000000000000001550636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.787{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE73938CEE823384ED8123A1AA429E85,SHA256=25A9B7C21CB51D3BB428537DAC933AE13117B5D7C459D00F939AEAC913C542AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:40.574{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:40.574{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BDB3778540DB1C2CA3A261539CDC5B,SHA256=8E84C92C74BB5879E297472A0425AE9284A552CE9E8B95DEECBB1D93332A7F4Ffalsefalse - insufficient disk space 23542300x80000000000000001550635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AB3A7E97B94BE3BA00DE645C3F12CD,SHA256=17A448435EC37D9479F298A32ED2948D8600DF75AB25EFCAD36F297E5DABB3AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.237{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.237{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.098{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AB3A7E97B94BE3BA00DE645C3F12CD,SHA256=17A448435EC37D9479F298A32ED2948D8600DF75AB25EFCAD36F297E5DABB3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:40.097{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=106FDE56BF7C1C835D417FF9ADE0E841,SHA256=98A4680D4E4BF87A64D1A7DB084A9FE8C27CD9D93E1C51E6BDBC4501367A4BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.987{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E1D44B2D64C1D17439EDA3D9515D69,SHA256=B70DFEF8ECF97B44F23AF6567DC54EB490DCE9381DFFDB0A1471C509D86E1DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.850{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local60854- 354300x80000000000000001550688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.849{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59790- 354300x80000000000000001550687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.848{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local64076- 11241100x80000000000000002496238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.710{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.710{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBC495DB2B6F9FB717BE26823C2648C,SHA256=EBB1308EEE2799996862FA7E9FEEC74A905BD61FDDA2504014969C99807C7420falsefalse - insufficient disk space 354300x80000000000000001550686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.848{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62811- 354300x80000000000000001550685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.847{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51475- 354300x80000000000000001550684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.845{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62861- 354300x80000000000000001550683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.845{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61385- 354300x80000000000000001550682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.844{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local52675- 354300x80000000000000001550681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.843{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62815- 354300x80000000000000001550680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.842{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local52224- 354300x80000000000000001550679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.841{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local59012- 354300x80000000000000001550678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.840{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62737- 354300x80000000000000001550677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.839{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62472- 354300x80000000000000001550676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.839{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62093- 354300x80000000000000001550675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.838{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local64792- 354300x80000000000000001550674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.837{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local58227- 354300x80000000000000001550673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.837{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63905- 354300x80000000000000001550672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.836{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local61552- 354300x80000000000000001550671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.836{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local60672- 354300x80000000000000001550670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.834{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59659- 354300x80000000000000001550669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.833{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local52936- 354300x80000000000000001550668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.832{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local59361- 354300x80000000000000001550667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.829{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61872- 354300x80000000000000001550666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.828{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local50780- 354300x80000000000000001550665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.826{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local62598- 354300x80000000000000001550664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.825{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local58083- 354300x80000000000000001550663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.825{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local64772- 354300x80000000000000001550662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.824{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local50828- 354300x80000000000000001550661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.824{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58294- 354300x80000000000000001550660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.823{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domain 354300x80000000000000001550659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.823{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local52256- 354300x80000000000000001550658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.822{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51477- 354300x80000000000000001550657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.821{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63384- 354300x80000000000000001550656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.821{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local63618- 354300x80000000000000001550655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.820{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local59383- 354300x80000000000000001550654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.820{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local49950- 354300x80000000000000001550653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.819{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62377- 354300x80000000000000001550652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.818{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local61632- 354300x80000000000000001550651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.817{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local51971- 354300x80000000000000001550650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.816{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local64275- 354300x80000000000000001550649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.815{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local60263- 354300x80000000000000001550648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.14win-dc-982.attackrange.local62887- 354300x80000000000000001550647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-982.attackrange.local62887-false10.0.1.14win-dc-982.attackrange.local53domain 354300x80000000000000001550646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083- 354300x80000000000000001550645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.814{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local58083-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domain 354300x80000000000000001550644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.806{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19379-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001550643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.806{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19379-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001550642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.805{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19378-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001550641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:35.805{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19378-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 23542300x80000000000000001550640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.270{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AE3F8AD13137861CF86811D85B5E718,SHA256=054FBC82EA553C1165030FE3FDD2AA513F3876FF1460EEA7A894BAECA6A4E981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.238{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:41.238{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002496236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F769CEA0EFCEC2C2B70620400D584DF4,SHA256=8E64FEF387F31E6EAA26A65A10DDD11FF8FC9A4872E32246ADA8EEE18193F3CDfalsefalse - insufficient disk space 11241100x80000000000000002496234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:41.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CD51D0E663F698B30B9FE2208539A0E,SHA256=D8491FCA13DF99232710D82B114C98D5FE2F38448D1891E913AD7E936DAE5A5Bfalsefalse - insufficient disk space 11241100x80000000000000002496243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.858{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002496242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.858{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002496241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.727{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.727{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767F046421803AC40EE01B46E502F8F,SHA256=CB855687F6F73CAE543BBFD2DB2CBFD03834FCD91C50E816E879161C36437772falsefalse - insufficient disk space 10341000x80000000000000001550692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002496239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:39.666{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50210-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.943{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.943{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BF9B5A456DBBEF1F7AB39A7D2E21A8,SHA256=8A71A84AEBD8B4E9A57C66FB87BC721303C60C6D4922D372F533AE317C493520falsefalse - insufficient disk space 10341000x80000000000000001550695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.239{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:43.078{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14774324D6E436DAF180F3528FC5D54E,SHA256=96924EA664872DEA4E21513DAACE750DADFB50CE3F8C48515A7FA4A6655F9790,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.859{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:43.859{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F769CEA0EFCEC2C2B70620400D584DF4,SHA256=8E64FEF387F31E6EAA26A65A10DDD11FF8FC9A4872E32246ADA8EEE18193F3CDfalsefalse - insufficient disk space 11241100x80000000000000002496252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.944{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.944{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881FAD7D76A44B0EF746144DDCC1CCA6,SHA256=70A5F66FE63BA1B471F5A8C87814B620F5BE547320E7CFBFE11A21B77804496Bfalsefalse - insufficient disk space 354300x80000000000000001550700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:38.663{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19380-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001550699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.240{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.240{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEEF23F3B71CE5556032DDF9119A5A,SHA256=0DE2C5A9EFD7C5B5D870A2FBB12A7DBB87945ACBC645B556782383E9DEB8C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002496250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.428{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-pingMD5=A8E5CF8EC46CA6DAFF6F289E4D735501,SHA256=7D1830BB8FAF897A059BC7CDF161DBF5BEC7BB0B24B17E1E68F4CDF44F326FE8falsefalse - insufficient disk space 11241100x80000000000000002496249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:44.428{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\datareporting\aborted-session-ping.tmp2021-04-22 17:57:44.428 354300x80000000000000002496248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:42.330{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50211-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001550696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:44.129{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A709209D1B8CD78E4D8A3FB4D662BFCD,SHA256=79588BC98A9C1FBD9A42BCF9D11905A4EE925134CC11E35AE85727A387E50F67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.983{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.983{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C5AC4621482B48590011DCEE4DB2E0,SHA256=1311B0D56F836BAADE1E301C9EF51BEC1E56CB711B185B2A2BA6995679DE3399falsefalse - insufficient disk space 354300x80000000000000001550705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:39.689{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19381-false10.0.1.12-8000- 10341000x80000000000000001550704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.241{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.241{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=466A1A5D84EA91E32652BA928F1404E0,SHA256=F47FD5C37EC6811FB21B488FEE3938890CB847855EA4CABCEDCC8275E03E76F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.147{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3532B1BE63094DC6DCCB0E60F737777E,SHA256=4C91729454288F21214A3D64381EBF97FA868F2885AD9B9D898248D491EC5EDD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002496282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000002496281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000002496280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.880{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200081,25036313,19200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000002496279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,17134338,34968335,24131419,19677900,40920709,20039442,18409363,21378256,19972417,19200086,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,8254547,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,23729926,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077 12241200x80000000000000002496278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000002496277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000002496276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000002496275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000002496274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000002496273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000002496272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000002496271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000002496270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000002496269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.879{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000002496268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000002496267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\4DWORD (0x00000000) 12241200x80000000000000002496266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000002496265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000002496264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000002496263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000002496262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000002496261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000002496260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000002496259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000002496258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000002496257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000002496256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.878{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000002496255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000002496254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000002496253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:45.877{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 10341000x80000000000000001550708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.159{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5099C14859964A025DDD799C013A8,SHA256=15C2560F9A466BB7B76489D2D12CB5A804C3531083604156415FB336C53986AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.248{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002496287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.248{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B07E6FE1408E9E1E5EB5FE632AD9DFDC,SHA256=0B970F20F9B0FE8D1AE3789B1EAC1E1C5A9ADC66BF962A9D5883D83E9FC985A1falsefalse - insufficient disk space 11241100x80000000000000002496286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.081{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:47.081{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D25BB27738AF9769B2AA14A31944F3,SHA256=B9226F6FE4B6E80D7AE13544DEA69B80C7F06B12B4AA6166C8C72E3AEE2B5893falsefalse - insufficient disk space 10341000x80000000000000001550711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.242{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:47.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C10F10135D43CE2B3AB70DAF115E4F,SHA256=1666AEA4916B2F9867B789529CE01DE5469BFC9B00F79385F2A9B00E29F9D691,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002496291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:45.687{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50212-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002496290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:48.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:48.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46218DB07FCA67E31AE0394787180B27,SHA256=0822904315D0D208F8CAEC16BF7AE1D6C8EB671E7117D35B0FF6417B94F6F01Cfalsefalse - insufficient disk space 354300x80000000000000001550716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:42.560{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19382-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001550715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.243{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.243{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.167{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EF394B4091142334E0189B650EB333,SHA256=3A0608DDE255B5EEDC03B7E531692B731E607FC99DC480A42E6CC9B6E7F97020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:48.037{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDBF0865AA9D156E45AC2AB085C72765,SHA256=0BE6A9262432811F90F76AAFE35D26CED461BDA12F5F4675C90393EFFAF86400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.244{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.244{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:49.173{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6527329CC9CACF8E868EB0CE736C7E29,SHA256=54D5F53973994C61EC3B4BCEAEFAD3D2E1FC26AF7C46B7E65B378B86878BC654,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002496784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400593_WINWORD.EXE_6156_2428_1323.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1322.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1321.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400594_WINWORD.EXE_6156_2428_1320.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400595_WINWORD.EXE_6156_2428_1319.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400595_WINWORD.EXE_6156_2428_1318.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400596_WINWORD.EXE_6156_2428_1317.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400596_WINWORD.EXE_6156_2428_1316.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400597_WINWORD.EXE_6156_2428_1315.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400597_WINWORD.EXE_6156_2428_1314.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400600_WINWORD.EXE_6156_2428_1313.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.991{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400601_WINWORD.EXE_6156_2428_1312.dmp2021-04-22 17:57:49.991 11241100x80000000000000002496772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.991{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400601_WINWORD.EXE_6156_2428_1311.dmp2021-04-22 17:57:49.991 11241100x80000000000000002496771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.990{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400602_WINWORD.EXE_6156_2428_1310.dmp2021-04-22 17:57:49.990 11241100x80000000000000002496770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.990{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400602_WINWORD.EXE_6156_2428_1309.dmp2021-04-22 17:57:49.990 11241100x80000000000000002496769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.989{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400603_WINWORD.EXE_6156_2428_1308.dmp2021-04-22 17:57:49.989 11241100x80000000000000002496768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.989{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400603_WINWORD.EXE_6156_2428_1307.dmp2021-04-22 17:57:49.989 11241100x80000000000000002496767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.988{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400604_WINWORD.EXE_6156_2428_1306.dmp2021-04-22 17:57:49.988 11241100x80000000000000002496766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.988{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400604_WINWORD.EXE_6156_2428_1305.dmp2021-04-22 17:57:49.988 11241100x80000000000000002496765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.987{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400605_WINWORD.EXE_6156_2428_1304.dmp2021-04-22 17:57:49.987 11241100x80000000000000002496764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.987{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400605_WINWORD.EXE_6156_2428_1303.dmp2021-04-22 17:57:49.987 11241100x80000000000000002496763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.986{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400606_WINWORD.EXE_6156_2428_1302.dmp2021-04-22 17:57:49.986 11241100x80000000000000002496762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400606_WINWORD.EXE_6156_2428_1301.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1300.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1299.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400607_WINWORD.EXE_6156_2428_1298.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400608_WINWORD.EXE_6156_2428_1297.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400608_WINWORD.EXE_6156_2428_1296.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400609_WINWORD.EXE_6156_2428_1295.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400609_WINWORD.EXE_6156_2428_1294.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400610_WINWORD.EXE_6156_2428_1293.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400610_WINWORD.EXE_6156_2428_1292.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1291.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1290.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400611_WINWORD.EXE_6156_2428_1289.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400612_WINWORD.EXE_6156_2428_1288.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400612_WINWORD.EXE_6156_2428_1287.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400613_WINWORD.EXE_6156_2428_1286.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400613_WINWORD.EXE_6156_2428_1285.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400614_WINWORD.EXE_6156_2428_1284.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400614_WINWORD.EXE_6156_2428_1283.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400615_WINWORD.EXE_6156_2428_1282.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400615_WINWORD.EXE_6156_2428_1281.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1280.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1279.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400616_WINWORD.EXE_6156_2428_1278.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400617_WINWORD.EXE_6156_2428_1277.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400617_WINWORD.EXE_6156_2428_1276.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400618_WINWORD.EXE_6156_2428_1275.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400618_WINWORD.EXE_6156_2428_1274.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400619_WINWORD.EXE_6156_2428_1273.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400619_WINWORD.EXE_6156_2428_1272.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1271.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1270.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400620_WINWORD.EXE_6156_2428_1269.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400621_WINWORD.EXE_6156_2428_1268.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.971{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400621_WINWORD.EXE_6156_2428_1267.dmp2021-04-22 17:57:49.971 11241100x80000000000000002496727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400622_WINWORD.EXE_6156_2428_1266.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400622_WINWORD.EXE_6156_2428_1265.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400626_WINWORD.EXE_6156_2428_1264.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400626_WINWORD.EXE_6156_2428_1263.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400627_WINWORD.EXE_6156_2428_1262.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400627_WINWORD.EXE_6156_2428_1261.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400628_WINWORD.EXE_6156_2428_1260.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400628_WINWORD.EXE_6156_2428_1259.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400629_WINWORD.EXE_6156_2428_1258.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400629_WINWORD.EXE_6156_2428_1257.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400630_WINWORD.EXE_6156_2428_1256.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400630_WINWORD.EXE_6156_2428_1255.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400631_WINWORD.EXE_6156_2428_1254.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400631_WINWORD.EXE_6156_2428_1253.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1252.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1251.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400632_WINWORD.EXE_6156_2428_1250.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400633_WINWORD.EXE_6156_2428_1249.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400633_WINWORD.EXE_6156_2428_1248.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400634_WINWORD.EXE_6156_2428_1247.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400634_WINWORD.EXE_6156_2428_1246.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1245.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1244.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400635_WINWORD.EXE_6156_2428_1243.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400636_WINWORD.EXE_6156_2428_1242.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400636_WINWORD.EXE_6156_2428_1241.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.955{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400637_WINWORD.EXE_6156_2428_1240.dmp2021-04-22 17:57:49.955 11241100x80000000000000002496700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1239.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1238.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400638_WINWORD.EXE_6156_2428_1237.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400639_WINWORD.EXE_6156_2428_1236.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400639_WINWORD.EXE_6156_2428_1235.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400640_WINWORD.EXE_6156_2428_1234.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400640_WINWORD.EXE_6156_2428_1233.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400641_WINWORD.EXE_6156_2428_1232.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400641_WINWORD.EXE_6156_2428_1231.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1230.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1229.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400642_WINWORD.EXE_6156_2428_1228.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400643_WINWORD.EXE_6156_2428_1227.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400643_WINWORD.EXE_6156_2428_1226.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400644_WINWORD.EXE_6156_2428_1225.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400644_WINWORD.EXE_6156_2428_1224.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1223.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1222.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400645_WINWORD.EXE_6156_2428_1221.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400646_WINWORD.EXE_6156_2428_1220.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400646_WINWORD.EXE_6156_2428_1219.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400647_WINWORD.EXE_6156_2428_1218.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400647_WINWORD.EXE_6156_2428_1217.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400648_WINWORD.EXE_6156_2428_1216.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400648_WINWORD.EXE_6156_2428_1215.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1214.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1213.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400649_WINWORD.EXE_6156_2428_1212.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400650_WINWORD.EXE_6156_2428_1211.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400650_WINWORD.EXE_6156_2428_1210.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400651_WINWORD.EXE_6156_2428_1209.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400651_WINWORD.EXE_6156_2428_1208.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400652_WINWORD.EXE_6156_2428_1207.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400652_WINWORD.EXE_6156_2428_1206.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400653_WINWORD.EXE_6156_2428_1205.dmp2021-04-22 17:57:49.939 11241100x80000000000000002496665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.939{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400653_WINWORD.EXE_6156_2428_1204.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1203.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1202.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400654_WINWORD.EXE_6156_2428_1201.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400655_WINWORD.EXE_6156_2428_1200.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400655_WINWORD.EXE_6156_2428_1199.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400656_WINWORD.EXE_6156_2428_1198.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400656_WINWORD.EXE_6156_2428_1197.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1196.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1195.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400657_WINWORD.EXE_6156_2428_1194.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400658_WINWORD.EXE_6156_2428_1193.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400658_WINWORD.EXE_6156_2428_1192.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400659_WINWORD.EXE_6156_2428_1191.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400659_WINWORD.EXE_6156_2428_1190.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400660_WINWORD.EXE_6156_2428_1189.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400660_WINWORD.EXE_6156_2428_1188.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1187.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1186.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400661_WINWORD.EXE_6156_2428_1185.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400662_WINWORD.EXE_6156_2428_1184.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400662_WINWORD.EXE_6156_2428_1183.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400663_WINWORD.EXE_6156_2428_1182.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400663_WINWORD.EXE_6156_2428_1181.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400664_WINWORD.EXE_6156_2428_1180.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000002496639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400665_WINWORD.EXE_6156_2428_1179.dmp2021-04-22 17:57:49.924 23542300x80000000000000002496638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6971FB364A414FCDF489D1EA168588,SHA256=39DD8D4FA63E443DC8A7A69AE899A48A5631DAC86880C7DB45065D85EF673BEAfalsefalse - insufficient disk space 11241100x80000000000000002496637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400665_WINWORD.EXE_6156_2428_1178.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400666_WINWORD.EXE_6156_2428_1177.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400666_WINWORD.EXE_6156_2428_1176.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400667_WINWORD.EXE_6156_2428_1175.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400667_WINWORD.EXE_6156_2428_1174.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400668_WINWORD.EXE_6156_2428_1173.dmp2021-04-22 17:57:49.924 11241100x80000000000000002496631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.924{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400669_WINWORD.EXE_6156_2428_1172.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400669_WINWORD.EXE_6156_2428_1171.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1170.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1169.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400670_WINWORD.EXE_6156_2428_1168.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400671_WINWORD.EXE_6156_2428_1167.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400671_WINWORD.EXE_6156_2428_1166.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400672_WINWORD.EXE_6156_2428_1165.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400672_WINWORD.EXE_6156_2428_1164.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400673_WINWORD.EXE_6156_2428_1163.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400673_WINWORD.EXE_6156_2428_1162.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400674_WINWORD.EXE_6156_2428_1161.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400674_WINWORD.EXE_6156_2428_1160.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1159.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1158.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400675_WINWORD.EXE_6156_2428_1157.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400676_WINWORD.EXE_6156_2428_1156.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400676_WINWORD.EXE_6156_2428_1155.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400677_WINWORD.EXE_6156_2428_1154.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400677_WINWORD.EXE_6156_2428_1153.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400678_WINWORD.EXE_6156_2428_1152.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400678_WINWORD.EXE_6156_2428_1151.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400679_WINWORD.EXE_6156_2428_1150.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400679_WINWORD.EXE_6156_2428_1149.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1148.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1147.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400680_WINWORD.EXE_6156_2428_1146.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400681_WINWORD.EXE_6156_2428_1145.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400681_WINWORD.EXE_6156_2428_1144.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400682_WINWORD.EXE_6156_2428_1143.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400682_WINWORD.EXE_6156_2428_1142.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400683_WINWORD.EXE_6156_2428_1141.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400683_WINWORD.EXE_6156_2428_1140.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400684_WINWORD.EXE_6156_2428_1139.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.908{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400684_WINWORD.EXE_6156_2428_1138.dmp2021-04-22 17:57:49.908 11241100x80000000000000002496596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1137.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1136.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400685_WINWORD.EXE_6156_2428_1135.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400686_WINWORD.EXE_6156_2428_1134.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400686_WINWORD.EXE_6156_2428_1133.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400687_WINWORD.EXE_6156_2428_1132.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400687_WINWORD.EXE_6156_2428_1131.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400688_WINWORD.EXE_6156_2428_1130.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400688_WINWORD.EXE_6156_2428_1129.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400689_WINWORD.EXE_6156_2428_1128.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400689_WINWORD.EXE_6156_2428_1127.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400690_WINWORD.EXE_6156_2428_1126.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400690_WINWORD.EXE_6156_2428_1125.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1124.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1123.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400691_WINWORD.EXE_6156_2428_1122.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400692_WINWORD.EXE_6156_2428_1121.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400692_WINWORD.EXE_6156_2428_1120.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400693_WINWORD.EXE_6156_2428_1119.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400693_WINWORD.EXE_6156_2428_1118.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400694_WINWORD.EXE_6156_2428_1117.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400694_WINWORD.EXE_6156_2428_1116.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1115.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1114.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400695_WINWORD.EXE_6156_2428_1113.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400696_WINWORD.EXE_6156_2428_1112.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400696_WINWORD.EXE_6156_2428_1111.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400697_WINWORD.EXE_6156_2428_1110.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400697_WINWORD.EXE_6156_2428_1109.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400698_WINWORD.EXE_6156_2428_1108.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400698_WINWORD.EXE_6156_2428_1107.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400699_WINWORD.EXE_6156_2428_1106.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400699_WINWORD.EXE_6156_2428_1105.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400700_WINWORD.EXE_6156_2428_1104.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400700_WINWORD.EXE_6156_2428_1103.dmp2021-04-22 17:57:49.892 11241100x80000000000000002496561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.892{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400701_WINWORD.EXE_6156_2428_1102.dmp2021-04-22 17:57:49.891 11241100x80000000000000002496560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.891{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400701_WINWORD.EXE_6156_2428_1101.dmp2021-04-22 17:57:49.891 11241100x80000000000000002496559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.891{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0938A88F4CC516E9B8081255DEE04B3,SHA256=AD7F7A8B902A6E4F69EB8C919B93D9B178B6F9684DD30CD2AB36AC56AE8C7F64falsefalse - insufficient disk space 11241100x80000000000000002496557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400702_WINWORD.EXE_6156_2428_1100.dmp2021-04-22 17:57:49.890 11241100x80000000000000002496556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.890{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400702_WINWORD.EXE_6156_2428_1099.dmp2021-04-22 17:57:49.889 11241100x80000000000000002496555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.889{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400703_WINWORD.EXE_6156_2428_1098.dmp2021-04-22 17:57:49.889 11241100x80000000000000002496554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.888{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400704_WINWORD.EXE_6156_2428_1097.dmp2021-04-22 17:57:49.888 11241100x80000000000000002496553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.888{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400704_WINWORD.EXE_6156_2428_1096.dmp2021-04-22 17:57:49.888 11241100x80000000000000002496552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.887{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400705_WINWORD.EXE_6156_2428_1095.dmp2021-04-22 17:57:49.887 11241100x80000000000000002496551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.886{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400705_WINWORD.EXE_6156_2428_1094.dmp2021-04-22 17:57:49.886 11241100x80000000000000002496550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.886{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400706_WINWORD.EXE_6156_2428_1093.dmp2021-04-22 17:57:49.886 11241100x80000000000000002496549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400706_WINWORD.EXE_6156_2428_1092.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400707_WINWORD.EXE_6156_2428_1091.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400707_WINWORD.EXE_6156_2428_1090.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400708_WINWORD.EXE_6156_2428_1089.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400708_WINWORD.EXE_6156_2428_1088.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1087.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1086.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400709_WINWORD.EXE_6156_2428_1085.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400710_WINWORD.EXE_6156_2428_1084.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400710_WINWORD.EXE_6156_2428_1083.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400711_WINWORD.EXE_6156_2428_1082.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400711_WINWORD.EXE_6156_2428_1081.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400712_WINWORD.EXE_6156_2428_1080.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400712_WINWORD.EXE_6156_2428_1079.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1078.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1077.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400713_WINWORD.EXE_6156_2428_1076.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400714_WINWORD.EXE_6156_2428_1075.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400714_WINWORD.EXE_6156_2428_1074.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400715_WINWORD.EXE_6156_2428_1073.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400715_WINWORD.EXE_6156_2428_1072.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400716_WINWORD.EXE_6156_2428_1071.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400716_WINWORD.EXE_6156_2428_1070.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1069.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1068.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400717_WINWORD.EXE_6156_2428_1067.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400718_WINWORD.EXE_6156_2428_1066.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400718_WINWORD.EXE_6156_2428_1065.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400719_WINWORD.EXE_6156_2428_1064.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400719_WINWORD.EXE_6156_2428_1063.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400720_WINWORD.EXE_6156_2428_1062.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400720_WINWORD.EXE_6156_2428_1061.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1060.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1059.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400721_WINWORD.EXE_6156_2428_1058.dmp2021-04-22 17:57:49.870 11241100x80000000000000002496514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.870{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400722_WINWORD.EXE_6156_2428_1057.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400722_WINWORD.EXE_6156_2428_1056.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400723_WINWORD.EXE_6156_2428_1055.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400723_WINWORD.EXE_6156_2428_1054.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400724_WINWORD.EXE_6156_2428_1053.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400724_WINWORD.EXE_6156_2428_1052.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1051.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1050.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400725_WINWORD.EXE_6156_2428_1049.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400726_WINWORD.EXE_6156_2428_1048.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400726_WINWORD.EXE_6156_2428_1047.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400727_WINWORD.EXE_6156_2428_1046.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400727_WINWORD.EXE_6156_2428_1045.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1044.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1043.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400728_WINWORD.EXE_6156_2428_1042.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400729_WINWORD.EXE_6156_2428_1041.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400729_WINWORD.EXE_6156_2428_1040.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400730_WINWORD.EXE_6156_2428_1039.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400730_WINWORD.EXE_6156_2428_1038.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400731_WINWORD.EXE_6156_2428_1037.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400731_WINWORD.EXE_6156_2428_1036.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1035.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1034.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400732_WINWORD.EXE_6156_2428_1033.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400733_WINWORD.EXE_6156_2428_1032.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400733_WINWORD.EXE_6156_2428_1031.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400734_WINWORD.EXE_6156_2428_1030.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400734_WINWORD.EXE_6156_2428_1029.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1028.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1027.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400735_WINWORD.EXE_6156_2428_1026.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400736_WINWORD.EXE_6156_2428_1025.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400736_WINWORD.EXE_6156_2428_1024.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400737_WINWORD.EXE_6156_2428_1023.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.855{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400737_WINWORD.EXE_6156_2428_1022.dmp2021-04-22 17:57:49.855 11241100x80000000000000002496478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400738_WINWORD.EXE_6156_2428_1021.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400738_WINWORD.EXE_6156_2428_1020.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400739_WINWORD.EXE_6156_2428_1019.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400739_WINWORD.EXE_6156_2428_1018.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400740_WINWORD.EXE_6156_2428_1017.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400740_WINWORD.EXE_6156_2428_1016.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1015.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1014.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400741_WINWORD.EXE_6156_2428_1013.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400742_WINWORD.EXE_6156_2428_1012.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400742_WINWORD.EXE_6156_2428_1011.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400743_WINWORD.EXE_6156_2428_1010.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400743_WINWORD.EXE_6156_2428_1009.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400747_WINWORD.EXE_6156_2428_1008.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400747_WINWORD.EXE_6156_2428_1007.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400748_WINWORD.EXE_6156_2428_1006.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400748_WINWORD.EXE_6156_2428_1005.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1004.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1003.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400749_WINWORD.EXE_6156_2428_1002.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400750_WINWORD.EXE_6156_2428_1001.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400750_WINWORD.EXE_6156_2428_1000.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400751_WINWORD.EXE_6156_2428_999.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400751_WINWORD.EXE_6156_2428_998.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400752_WINWORD.EXE_6156_2428_997.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400752_WINWORD.EXE_6156_2428_996.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_995.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.839{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_994.dmp2021-04-22 17:57:49.839 11241100x80000000000000002496450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400753_WINWORD.EXE_6156_2428_993.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400754_WINWORD.EXE_6156_2428_992.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400754_WINWORD.EXE_6156_2428_991.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400755_WINWORD.EXE_6156_2428_990.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400755_WINWORD.EXE_6156_2428_989.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400756_WINWORD.EXE_6156_2428_988.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400756_WINWORD.EXE_6156_2428_987.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_986.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_985.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400757_WINWORD.EXE_6156_2428_984.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400758_WINWORD.EXE_6156_2428_983.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400758_WINWORD.EXE_6156_2428_982.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400759_WINWORD.EXE_6156_2428_981.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400759_WINWORD.EXE_6156_2428_980.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400760_WINWORD.EXE_6156_2428_979.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400760_WINWORD.EXE_6156_2428_978.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_977.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_976.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400761_WINWORD.EXE_6156_2428_975.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400762_WINWORD.EXE_6156_2428_974.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400762_WINWORD.EXE_6156_2428_973.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400763_WINWORD.EXE_6156_2428_972.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400763_WINWORD.EXE_6156_2428_971.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400764_WINWORD.EXE_6156_2428_970.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400764_WINWORD.EXE_6156_2428_969.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_968.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_967.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400765_WINWORD.EXE_6156_2428_966.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400766_WINWORD.EXE_6156_2428_965.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400766_WINWORD.EXE_6156_2428_964.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400767_WINWORD.EXE_6156_2428_963.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400767_WINWORD.EXE_6156_2428_962.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400768_WINWORD.EXE_6156_2428_961.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400768_WINWORD.EXE_6156_2428_960.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.823{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400769_WINWORD.EXE_6156_2428_959.dmp2021-04-22 17:57:49.823 11241100x80000000000000002496415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400769_WINWORD.EXE_6156_2428_958.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_957.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_956.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400770_WINWORD.EXE_6156_2428_955.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400771_WINWORD.EXE_6156_2428_954.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400771_WINWORD.EXE_6156_2428_953.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400772_WINWORD.EXE_6156_2428_952.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400772_WINWORD.EXE_6156_2428_951.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_950.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_949.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400773_WINWORD.EXE_6156_2428_948.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400774_WINWORD.EXE_6156_2428_947.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400774_WINWORD.EXE_6156_2428_946.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400775_WINWORD.EXE_6156_2428_945.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400775_WINWORD.EXE_6156_2428_944.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400776_WINWORD.EXE_6156_2428_943.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400776_WINWORD.EXE_6156_2428_942.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400777_WINWORD.EXE_6156_2428_941.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400777_WINWORD.EXE_6156_2428_940.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_939.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_938.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400778_WINWORD.EXE_6156_2428_937.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400779_WINWORD.EXE_6156_2428_936.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400779_WINWORD.EXE_6156_2428_935.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400780_WINWORD.EXE_6156_2428_934.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400780_WINWORD.EXE_6156_2428_933.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400781_WINWORD.EXE_6156_2428_932.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400781_WINWORD.EXE_6156_2428_931.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400782_WINWORD.EXE_6156_2428_930.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400782_WINWORD.EXE_6156_2428_929.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400783_WINWORD.EXE_6156_2428_928.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400783_WINWORD.EXE_6156_2428_927.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400784_WINWORD.EXE_6156_2428_926.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.808{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400784_WINWORD.EXE_6156_2428_925.dmp2021-04-22 17:57:49.808 11241100x80000000000000002496381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_924.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_923.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400785_WINWORD.EXE_6156_2428_922.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400786_WINWORD.EXE_6156_2428_921.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400786_WINWORD.EXE_6156_2428_920.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400787_WINWORD.EXE_6156_2428_919.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400787_WINWORD.EXE_6156_2428_918.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400788_WINWORD.EXE_6156_2428_917.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400788_WINWORD.EXE_6156_2428_916.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_915.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_914.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400789_WINWORD.EXE_6156_2428_913.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400790_WINWORD.EXE_6156_2428_912.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400790_WINWORD.EXE_6156_2428_911.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400791_WINWORD.EXE_6156_2428_910.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400791_WINWORD.EXE_6156_2428_909.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400792_WINWORD.EXE_6156_2428_908.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400792_WINWORD.EXE_6156_2428_907.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400793_WINWORD.EXE_6156_2428_906.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400793_WINWORD.EXE_6156_2428_905.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_904.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_903.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400794_WINWORD.EXE_6156_2428_902.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400795_WINWORD.EXE_6156_2428_901.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400795_WINWORD.EXE_6156_2428_900.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400796_WINWORD.EXE_6156_2428_899.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400796_WINWORD.EXE_6156_2428_898.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400797_WINWORD.EXE_6156_2428_897.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400797_WINWORD.EXE_6156_2428_896.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_895.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_894.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400798_WINWORD.EXE_6156_2428_893.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400799_WINWORD.EXE_6156_2428_892.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400799_WINWORD.EXE_6156_2428_891.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400800_WINWORD.EXE_6156_2428_890.dmp2021-04-22 17:57:49.792 11241100x80000000000000002496346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.792{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400800_WINWORD.EXE_6156_2428_889.dmp2021-04-22 17:57:49.791 11241100x80000000000000002496345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.791{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400801_WINWORD.EXE_6156_2428_888.dmp2021-04-22 17:57:49.791 11241100x80000000000000002496344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.791{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400801_WINWORD.EXE_6156_2428_887.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_886.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_885.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.790{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400802_WINWORD.EXE_6156_2428_884.dmp2021-04-22 17:57:49.790 11241100x80000000000000002496340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.789{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400803_WINWORD.EXE_6156_2428_883.dmp2021-04-22 17:57:49.789 11241100x80000000000000002496339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.789{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400803_WINWORD.EXE_6156_2428_882.dmp2021-04-22 17:57:49.789 11241100x80000000000000002496338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.788{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400804_WINWORD.EXE_6156_2428_881.dmp2021-04-22 17:57:49.788 11241100x80000000000000002496337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.788{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400804_WINWORD.EXE_6156_2428_880.dmp2021-04-22 17:57:49.788 11241100x80000000000000002496336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.787{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400805_WINWORD.EXE_6156_2428_879.dmp2021-04-22 17:57:49.787 11241100x80000000000000002496335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.787{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400805_WINWORD.EXE_6156_2428_878.dmp2021-04-22 17:57:49.787 11241100x80000000000000002496334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.786{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400806_WINWORD.EXE_6156_2428_877.dmp2021-04-22 17:57:49.786 11241100x80000000000000002496333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.786{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400806_WINWORD.EXE_6156_2428_876.dmp2021-04-22 17:57:49.786 11241100x80000000000000002496332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400807_WINWORD.EXE_6156_2428_875.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400807_WINWORD.EXE_6156_2428_874.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_873.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_872.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400808_WINWORD.EXE_6156_2428_871.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400809_WINWORD.EXE_6156_2428_870.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400809_WINWORD.EXE_6156_2428_869.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400810_WINWORD.EXE_6156_2428_868.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400810_WINWORD.EXE_6156_2428_867.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400811_WINWORD.EXE_6156_2428_866.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400811_WINWORD.EXE_6156_2428_865.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400812_WINWORD.EXE_6156_2428_864.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400812_WINWORD.EXE_6156_2428_863.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_862.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_861.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400813_WINWORD.EXE_6156_2428_860.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400814_WINWORD.EXE_6156_2428_859.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400814_WINWORD.EXE_6156_2428_858.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400815_WINWORD.EXE_6156_2428_857.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400815_WINWORD.EXE_6156_2428_856.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400816_WINWORD.EXE_6156_2428_855.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400816_WINWORD.EXE_6156_2428_854.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_853.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_852.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400817_WINWORD.EXE_6156_2428_851.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400818_WINWORD.EXE_6156_2428_850.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400818_WINWORD.EXE_6156_2428_849.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400819_WINWORD.EXE_6156_2428_848.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400819_WINWORD.EXE_6156_2428_847.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400820_WINWORD.EXE_6156_2428_846.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400820_WINWORD.EXE_6156_2428_845.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400821_WINWORD.EXE_6156_2428_844.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400821_WINWORD.EXE_6156_2428_843.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400822_WINWORD.EXE_6156_2428_842.dmp2021-04-22 17:57:49.770 11241100x80000000000000002496298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.770{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400822_WINWORD.EXE_6156_2428_841.dmp2021-04-22 17:57:49.770 10341000x80000000000000002496297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002496296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-B7F2-6081-6F86-00000000BB01}61562428C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c98f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d457|UNKNOWN(000001482C8CB72A) 154100x80000000000000002496295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.769{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exeC:\Windows\SysWOW64\cscript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=25F006365CE5690FE06550D634FE36A1,SHA256=873A28C3A6D1D6278B4FA422F65FADF18150301D31B9AFA694BDB5E3BD6A165D{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\asr_atomic.dotm 11241100x80000000000000002496294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.754{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400825_WINWORD.EXE_6156_2428_840.dmp2021-04-22 17:57:49.754 11241100x80000000000000002496293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.122{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.122{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D308C73C5A8E267F043FEBA5AD3368AE,SHA256=534B565FFD4DF7E79094FB70BA0FEA0C2BFF7BB03197D56D59AB8B903AABF291falsefalse - insufficient disk space 23542300x80000000000000001550723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.660{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.182{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E1D101AC6611BEF62BD4F839338A48,SHA256=D2DDD2AE2D6344D1BFBEB9FD8453A6DEC3726B4CF7972F60517E88F295D423A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.823{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.823{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23AA3A3DD710656A0798D7FA7C55BC33,SHA256=6FCDA09338A3444D8C69587186D8AE12FCF5142D8B245714A61B1370CED7555Ffalsefalse - insufficient disk space 12241200x80000000000000002497276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 11241100x80000000000000002497275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002497274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 23542300x80000000000000002497273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B512CBAB2D23B7155AC0B2B30DDA56,SHA256=3A129708420FB7CDFA9493E1BA58568A8D3DB7E67F51D935225ACC85B083AD8Bfalsefalse - insufficient disk space 734700x80000000000000002497272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000002497271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.270{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000002497270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000002497269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000002497268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000002497267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002497266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000002497265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000002497264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000002497263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000002497262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000002497261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000002497260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 10341000x80000000000000002497259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000002497257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002497256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000002497255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000002497254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000002497253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002497252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000002497251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000002497250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000002497249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000002497248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000002497247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000002497246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000002497245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000002497244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.254{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000002497243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000002497242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000002497241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000002497240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000002497239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 10341000x80000000000000002497238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000002497235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000002497234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000002497233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000002497232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x80000000000000002497231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000002497230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000002497229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 11241100x80000000000000002497228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000002497227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 23542300x80000000000000002497226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B22558DFDF994E29830B35852DB21,SHA256=D358D200C0BC193A4D787B50FA524CC819E8EE4E6BBB322BFB657A4DC1594B1Bfalsefalse - insufficient disk space 734700x80000000000000002497225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000002497224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000002497223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000002497222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000002497221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000002497220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000002497219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000002497218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000002497217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000002497216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000002497215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.239{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000002497214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 13241300x80000000000000002497213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E\VirtualDesktopBinary Data 12241200x80000000000000002497205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E 10341000x80000000000000002497204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002497201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000002497198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.223{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002497192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002497191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-83AE-607D-1600-00000000BB01}11082420C:\Windows\system32\svchost.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002497188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002497187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002497185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002497183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002497182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002497181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002497180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428216C:\Windows\system32\conhost.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002497178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002497176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002497173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002497164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.207{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002497163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002497162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002497158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.205{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\cscript.exe 734700x80000000000000002497157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000002497156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002497155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000002497154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000002497151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000002497149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000002497148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000002497147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exeC:\Windows\SysWOW64\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exeMD5=25F006365CE5690FE06550D634FE36A1,SHA256=873A28C3A6D1D6278B4FA422F65FADF18150301D31B9AFA694BDB5E3BD6A165DtrueMicrosoft WindowsValid 824800x80000000000000002497145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe59400x00000000029D0000-- 11241100x80000000000000002497144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400392_WINWORD.EXE_6156_2428_1677.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400393_WINWORD.EXE_6156_2428_1676.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400393_WINWORD.EXE_6156_2428_1675.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400393_WINWORD.EXE_6156_2428_1674.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400394_WINWORD.EXE_6156_2428_1673.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400394_WINWORD.EXE_6156_2428_1672.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400395_WINWORD.EXE_6156_2428_1671.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400395_WINWORD.EXE_6156_2428_1670.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400396_WINWORD.EXE_6156_2428_1669.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400396_WINWORD.EXE_6156_2428_1668.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400397_WINWORD.EXE_6156_2428_1667.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400397_WINWORD.EXE_6156_2428_1666.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400398_WINWORD.EXE_6156_2428_1665.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400398_WINWORD.EXE_6156_2428_1664.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400398_WINWORD.EXE_6156_2428_1663.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400399_WINWORD.EXE_6156_2428_1662.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400399_WINWORD.EXE_6156_2428_1661.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400400_WINWORD.EXE_6156_2428_1660.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.192{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400400_WINWORD.EXE_6156_2428_1659.dmp2021-04-22 17:57:50.192 11241100x80000000000000002497125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.191{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400401_WINWORD.EXE_6156_2428_1658.dmp2021-04-22 17:57:50.191 11241100x80000000000000002497124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.191{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400401_WINWORD.EXE_6156_2428_1657.dmp2021-04-22 17:57:50.191 11241100x80000000000000002497123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.190{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400402_WINWORD.EXE_6156_2428_1656.dmp2021-04-22 17:57:50.190 11241100x80000000000000002497122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.190{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400402_WINWORD.EXE_6156_2428_1655.dmp2021-04-22 17:57:50.190 11241100x80000000000000002497121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.190{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400402_WINWORD.EXE_6156_2428_1654.dmp2021-04-22 17:57:50.189 11241100x80000000000000002497120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.189{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400403_WINWORD.EXE_6156_2428_1653.dmp2021-04-22 17:57:50.189 11241100x80000000000000002497119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.189{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400403_WINWORD.EXE_6156_2428_1652.dmp2021-04-22 17:57:50.188 11241100x80000000000000002497118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.188{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400404_WINWORD.EXE_6156_2428_1651.dmp2021-04-22 17:57:50.188 11241100x80000000000000002497117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.188{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400404_WINWORD.EXE_6156_2428_1650.dmp2021-04-22 17:57:50.188 11241100x80000000000000002497116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.187{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400405_WINWORD.EXE_6156_2428_1649.dmp2021-04-22 17:57:50.187 11241100x80000000000000002497115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.187{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400405_WINWORD.EXE_6156_2428_1648.dmp2021-04-22 17:57:50.187 11241100x80000000000000002497114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.186{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400406_WINWORD.EXE_6156_2428_1647.dmp2021-04-22 17:57:50.186 11241100x80000000000000002497113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.186{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400406_WINWORD.EXE_6156_2428_1646.dmp2021-04-22 17:57:50.186 11241100x80000000000000002497112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400407_WINWORD.EXE_6156_2428_1645.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400407_WINWORD.EXE_6156_2428_1644.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400407_WINWORD.EXE_6156_2428_1643.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400408_WINWORD.EXE_6156_2428_1642.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400408_WINWORD.EXE_6156_2428_1641.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400409_WINWORD.EXE_6156_2428_1640.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400409_WINWORD.EXE_6156_2428_1639.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400410_WINWORD.EXE_6156_2428_1638.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400410_WINWORD.EXE_6156_2428_1637.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400411_WINWORD.EXE_6156_2428_1636.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400411_WINWORD.EXE_6156_2428_1635.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400411_WINWORD.EXE_6156_2428_1634.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400412_WINWORD.EXE_6156_2428_1633.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400412_WINWORD.EXE_6156_2428_1632.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400413_WINWORD.EXE_6156_2428_1631.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400413_WINWORD.EXE_6156_2428_1630.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400414_WINWORD.EXE_6156_2428_1629.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400414_WINWORD.EXE_6156_2428_1628.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400415_WINWORD.EXE_6156_2428_1627.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400415_WINWORD.EXE_6156_2428_1626.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400416_WINWORD.EXE_6156_2428_1625.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000002497090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400416_WINWORD.EXE_6156_2428_1624.dmp2021-04-22 17:57:50.170 23542300x80000000000000002497089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DF5CA54A52E5E1BDCDF9B638A84CE8,SHA256=4773A44D78CDA9C86361DABB9350CF2E28B8C0FFA915E13342AF4FC38C104645falsefalse - insufficient disk space 11241100x80000000000000002497088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400417_WINWORD.EXE_6156_2428_1623.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400417_WINWORD.EXE_6156_2428_1622.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400418_WINWORD.EXE_6156_2428_1621.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400419_WINWORD.EXE_6156_2428_1620.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400419_WINWORD.EXE_6156_2428_1619.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400420_WINWORD.EXE_6156_2428_1618.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400420_WINWORD.EXE_6156_2428_1617.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400421_WINWORD.EXE_6156_2428_1616.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400421_WINWORD.EXE_6156_2428_1615.dmp2021-04-22 17:57:50.170 11241100x80000000000000002497079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.170{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400422_WINWORD.EXE_6156_2428_1614.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400422_WINWORD.EXE_6156_2428_1613.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400423_WINWORD.EXE_6156_2428_1612.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400423_WINWORD.EXE_6156_2428_1611.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400424_WINWORD.EXE_6156_2428_1610.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400424_WINWORD.EXE_6156_2428_1609.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400425_WINWORD.EXE_6156_2428_1608.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400425_WINWORD.EXE_6156_2428_1607.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400426_WINWORD.EXE_6156_2428_1606.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400426_WINWORD.EXE_6156_2428_1605.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400426_WINWORD.EXE_6156_2428_1604.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400427_WINWORD.EXE_6156_2428_1603.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400427_WINWORD.EXE_6156_2428_1602.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400428_WINWORD.EXE_6156_2428_1601.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400428_WINWORD.EXE_6156_2428_1600.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400429_WINWORD.EXE_6156_2428_1599.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400429_WINWORD.EXE_6156_2428_1598.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400430_WINWORD.EXE_6156_2428_1597.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400430_WINWORD.EXE_6156_2428_1596.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400430_WINWORD.EXE_6156_2428_1595.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400431_WINWORD.EXE_6156_2428_1594.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400431_WINWORD.EXE_6156_2428_1593.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400432_WINWORD.EXE_6156_2428_1592.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400432_WINWORD.EXE_6156_2428_1591.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400433_WINWORD.EXE_6156_2428_1590.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400433_WINWORD.EXE_6156_2428_1589.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400434_WINWORD.EXE_6156_2428_1588.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400434_WINWORD.EXE_6156_2428_1587.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400435_WINWORD.EXE_6156_2428_1586.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400435_WINWORD.EXE_6156_2428_1585.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400435_WINWORD.EXE_6156_2428_1584.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400436_WINWORD.EXE_6156_2428_1583.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400436_WINWORD.EXE_6156_2428_1582.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400437_WINWORD.EXE_6156_2428_1581.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.155{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400437_WINWORD.EXE_6156_2428_1580.dmp2021-04-22 17:57:50.155 11241100x80000000000000002497044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400438_WINWORD.EXE_6156_2428_1579.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400438_WINWORD.EXE_6156_2428_1578.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400439_WINWORD.EXE_6156_2428_1577.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400439_WINWORD.EXE_6156_2428_1576.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400440_WINWORD.EXE_6156_2428_1575.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400440_WINWORD.EXE_6156_2428_1574.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400440_WINWORD.EXE_6156_2428_1573.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400441_WINWORD.EXE_6156_2428_1572.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400441_WINWORD.EXE_6156_2428_1571.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400442_WINWORD.EXE_6156_2428_1570.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400442_WINWORD.EXE_6156_2428_1569.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400443_WINWORD.EXE_6156_2428_1568.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400443_WINWORD.EXE_6156_2428_1567.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400444_WINWORD.EXE_6156_2428_1566.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400444_WINWORD.EXE_6156_2428_1565.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400445_WINWORD.EXE_6156_2428_1564.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400445_WINWORD.EXE_6156_2428_1563.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400445_WINWORD.EXE_6156_2428_1562.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400446_WINWORD.EXE_6156_2428_1561.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400446_WINWORD.EXE_6156_2428_1560.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400447_WINWORD.EXE_6156_2428_1559.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400447_WINWORD.EXE_6156_2428_1558.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400448_WINWORD.EXE_6156_2428_1557.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400448_WINWORD.EXE_6156_2428_1556.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400449_WINWORD.EXE_6156_2428_1555.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400449_WINWORD.EXE_6156_2428_1554.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400449_WINWORD.EXE_6156_2428_1553.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400450_WINWORD.EXE_6156_2428_1552.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400450_WINWORD.EXE_6156_2428_1551.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400451_WINWORD.EXE_6156_2428_1550.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400451_WINWORD.EXE_6156_2428_1549.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400452_WINWORD.EXE_6156_2428_1548.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400452_WINWORD.EXE_6156_2428_1547.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400453_WINWORD.EXE_6156_2428_1546.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.139{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400453_WINWORD.EXE_6156_2428_1545.dmp2021-04-22 17:57:50.139 11241100x80000000000000002497009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400454_WINWORD.EXE_6156_2428_1544.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400454_WINWORD.EXE_6156_2428_1543.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400454_WINWORD.EXE_6156_2428_1542.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400455_WINWORD.EXE_6156_2428_1541.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400455_WINWORD.EXE_6156_2428_1540.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400456_WINWORD.EXE_6156_2428_1539.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400456_WINWORD.EXE_6156_2428_1538.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400457_WINWORD.EXE_6156_2428_1537.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400457_WINWORD.EXE_6156_2428_1536.dmp2021-04-22 17:57:50.123 11241100x80000000000000002497000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400458_WINWORD.EXE_6156_2428_1535.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400458_WINWORD.EXE_6156_2428_1534.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400459_WINWORD.EXE_6156_2428_1533.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400459_WINWORD.EXE_6156_2428_1532.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400460_WINWORD.EXE_6156_2428_1531.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400460_WINWORD.EXE_6156_2428_1530.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400460_WINWORD.EXE_6156_2428_1529.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400461_WINWORD.EXE_6156_2428_1528.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400461_WINWORD.EXE_6156_2428_1527.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400462_WINWORD.EXE_6156_2428_1526.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400462_WINWORD.EXE_6156_2428_1525.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400463_WINWORD.EXE_6156_2428_1524.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400463_WINWORD.EXE_6156_2428_1523.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400464_WINWORD.EXE_6156_2428_1522.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400464_WINWORD.EXE_6156_2428_1521.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400467_WINWORD.EXE_6156_2428_1520.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400468_WINWORD.EXE_6156_2428_1519.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400468_WINWORD.EXE_6156_2428_1518.dmp2021-04-22 17:57:50.123 11241100x80000000000000002496982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.123{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400469_WINWORD.EXE_6156_2428_1517.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400469_WINWORD.EXE_6156_2428_1516.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400470_WINWORD.EXE_6156_2428_1515.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400470_WINWORD.EXE_6156_2428_1514.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400471_WINWORD.EXE_6156_2428_1513.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400471_WINWORD.EXE_6156_2428_1512.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400472_WINWORD.EXE_6156_2428_1511.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400472_WINWORD.EXE_6156_2428_1510.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400473_WINWORD.EXE_6156_2428_1509.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400473_WINWORD.EXE_6156_2428_1508.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400474_WINWORD.EXE_6156_2428_1507.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400474_WINWORD.EXE_6156_2428_1506.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400475_WINWORD.EXE_6156_2428_1505.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400475_WINWORD.EXE_6156_2428_1504.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400475_WINWORD.EXE_6156_2428_1503.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400476_WINWORD.EXE_6156_2428_1502.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400476_WINWORD.EXE_6156_2428_1501.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400477_WINWORD.EXE_6156_2428_1500.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400477_WINWORD.EXE_6156_2428_1499.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400478_WINWORD.EXE_6156_2428_1498.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400478_WINWORD.EXE_6156_2428_1497.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400479_WINWORD.EXE_6156_2428_1496.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400479_WINWORD.EXE_6156_2428_1495.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400480_WINWORD.EXE_6156_2428_1494.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400480_WINWORD.EXE_6156_2428_1493.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400481_WINWORD.EXE_6156_2428_1492.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400481_WINWORD.EXE_6156_2428_1491.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400482_WINWORD.EXE_6156_2428_1490.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400482_WINWORD.EXE_6156_2428_1489.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400482_WINWORD.EXE_6156_2428_1488.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400483_WINWORD.EXE_6156_2428_1487.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400483_WINWORD.EXE_6156_2428_1486.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400484_WINWORD.EXE_6156_2428_1485.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.108{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400484_WINWORD.EXE_6156_2428_1484.dmp2021-04-22 17:57:50.108 11241100x80000000000000002496948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400485_WINWORD.EXE_6156_2428_1483.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400485_WINWORD.EXE_6156_2428_1482.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400486_WINWORD.EXE_6156_2428_1481.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400486_WINWORD.EXE_6156_2428_1480.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400487_WINWORD.EXE_6156_2428_1479.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400487_WINWORD.EXE_6156_2428_1478.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400488_WINWORD.EXE_6156_2428_1477.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400488_WINWORD.EXE_6156_2428_1476.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400489_WINWORD.EXE_6156_2428_1475.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400489_WINWORD.EXE_6156_2428_1474.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400490_WINWORD.EXE_6156_2428_1473.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400490_WINWORD.EXE_6156_2428_1472.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400491_WINWORD.EXE_6156_2428_1471.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400491_WINWORD.EXE_6156_2428_1470.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400491_WINWORD.EXE_6156_2428_1469.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400492_WINWORD.EXE_6156_2428_1468.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400492_WINWORD.EXE_6156_2428_1467.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400493_WINWORD.EXE_6156_2428_1466.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400493_WINWORD.EXE_6156_2428_1465.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400494_WINWORD.EXE_6156_2428_1464.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400494_WINWORD.EXE_6156_2428_1463.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400495_WINWORD.EXE_6156_2428_1462.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400495_WINWORD.EXE_6156_2428_1461.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400496_WINWORD.EXE_6156_2428_1460.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400496_WINWORD.EXE_6156_2428_1459.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400497_WINWORD.EXE_6156_2428_1458.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400497_WINWORD.EXE_6156_2428_1457.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400498_WINWORD.EXE_6156_2428_1456.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400498_WINWORD.EXE_6156_2428_1455.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400499_WINWORD.EXE_6156_2428_1454.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400499_WINWORD.EXE_6156_2428_1453.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400500_WINWORD.EXE_6156_2428_1452.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.092{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400500_WINWORD.EXE_6156_2428_1451.dmp2021-04-22 17:57:50.092 11241100x80000000000000002496915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.091{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400500_WINWORD.EXE_6156_2428_1450.dmp2021-04-22 17:57:50.091 11241100x80000000000000002496914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.091{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400501_WINWORD.EXE_6156_2428_1449.dmp2021-04-22 17:57:50.091 11241100x80000000000000002496913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.090{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400501_WINWORD.EXE_6156_2428_1448.dmp2021-04-22 17:57:50.090 11241100x80000000000000002496912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.090{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400502_WINWORD.EXE_6156_2428_1447.dmp2021-04-22 17:57:50.090 11241100x80000000000000002496911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.089{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400502_WINWORD.EXE_6156_2428_1446.dmp2021-04-22 17:57:50.089 11241100x80000000000000002496910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.089{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400503_WINWORD.EXE_6156_2428_1445.dmp2021-04-22 17:57:50.089 11241100x80000000000000002496909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.088{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400503_WINWORD.EXE_6156_2428_1444.dmp2021-04-22 17:57:50.088 11241100x80000000000000002496908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.088{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400504_WINWORD.EXE_6156_2428_1443.dmp2021-04-22 17:57:50.088 11241100x80000000000000002496907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.088{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400504_WINWORD.EXE_6156_2428_1442.dmp2021-04-22 17:57:50.088 11241100x80000000000000002496906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.087{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400505_WINWORD.EXE_6156_2428_1441.dmp2021-04-22 17:57:50.087 11241100x80000000000000002496905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.087{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400505_WINWORD.EXE_6156_2428_1440.dmp2021-04-22 17:57:50.087 11241100x80000000000000002496904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.086{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400506_WINWORD.EXE_6156_2428_1439.dmp2021-04-22 17:57:50.086 11241100x80000000000000002496903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400506_WINWORD.EXE_6156_2428_1438.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400507_WINWORD.EXE_6156_2428_1437.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400507_WINWORD.EXE_6156_2428_1436.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400508_WINWORD.EXE_6156_2428_1435.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400508_WINWORD.EXE_6156_2428_1434.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400509_WINWORD.EXE_6156_2428_1433.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400509_WINWORD.EXE_6156_2428_1432.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400510_WINWORD.EXE_6156_2428_1431.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400510_WINWORD.EXE_6156_2428_1430.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400511_WINWORD.EXE_6156_2428_1429.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400511_WINWORD.EXE_6156_2428_1428.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400511_WINWORD.EXE_6156_2428_1427.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400512_WINWORD.EXE_6156_2428_1426.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400512_WINWORD.EXE_6156_2428_1425.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400513_WINWORD.EXE_6156_2428_1424.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400513_WINWORD.EXE_6156_2428_1423.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400514_WINWORD.EXE_6156_2428_1422.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400514_WINWORD.EXE_6156_2428_1421.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400515_WINWORD.EXE_6156_2428_1420.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400515_WINWORD.EXE_6156_2428_1419.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400516_WINWORD.EXE_6156_2428_1418.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400516_WINWORD.EXE_6156_2428_1417.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400517_WINWORD.EXE_6156_2428_1416.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400517_WINWORD.EXE_6156_2428_1415.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F5058093F3D5B2B453BD56EE8C4AB,SHA256=E108F6FF8C3CD02C172B5D46543FE1FBC7C10FDA051EDCA44AB232700EECA0F7falsefalse - insufficient disk space 11241100x80000000000000002496877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400518_WINWORD.EXE_6156_2428_1414.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400518_WINWORD.EXE_6156_2428_1413.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400519_WINWORD.EXE_6156_2428_1412.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400520_WINWORD.EXE_6156_2428_1411.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.070{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400553_WINWORD.EXE_6156_2428_1410.dmp2021-04-22 17:57:50.070 11241100x80000000000000002496872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400553_WINWORD.EXE_6156_2428_1409.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400554_WINWORD.EXE_6156_2428_1408.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400554_WINWORD.EXE_6156_2428_1407.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400555_WINWORD.EXE_6156_2428_1406.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400555_WINWORD.EXE_6156_2428_1405.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400556_WINWORD.EXE_6156_2428_1404.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400556_WINWORD.EXE_6156_2428_1403.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400557_WINWORD.EXE_6156_2428_1402.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400557_WINWORD.EXE_6156_2428_1401.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400557_WINWORD.EXE_6156_2428_1400.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400558_WINWORD.EXE_6156_2428_1399.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400558_WINWORD.EXE_6156_2428_1398.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400559_WINWORD.EXE_6156_2428_1397.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400559_WINWORD.EXE_6156_2428_1396.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400560_WINWORD.EXE_6156_2428_1395.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400560_WINWORD.EXE_6156_2428_1394.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400561_WINWORD.EXE_6156_2428_1393.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400561_WINWORD.EXE_6156_2428_1392.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400562_WINWORD.EXE_6156_2428_1391.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400562_WINWORD.EXE_6156_2428_1390.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400562_WINWORD.EXE_6156_2428_1389.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400563_WINWORD.EXE_6156_2428_1388.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400563_WINWORD.EXE_6156_2428_1387.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400564_WINWORD.EXE_6156_2428_1386.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400564_WINWORD.EXE_6156_2428_1385.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400565_WINWORD.EXE_6156_2428_1384.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400565_WINWORD.EXE_6156_2428_1383.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400565_WINWORD.EXE_6156_2428_1382.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400566_WINWORD.EXE_6156_2428_1381.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400566_WINWORD.EXE_6156_2428_1380.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400567_WINWORD.EXE_6156_2428_1379.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400567_WINWORD.EXE_6156_2428_1378.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400568_WINWORD.EXE_6156_2428_1377.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400568_WINWORD.EXE_6156_2428_1376.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.023{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400569_WINWORD.EXE_6156_2428_1375.dmp2021-04-22 17:57:50.023 11241100x80000000000000002496837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400569_WINWORD.EXE_6156_2428_1374.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400569_WINWORD.EXE_6156_2428_1373.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400570_WINWORD.EXE_6156_2428_1372.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400570_WINWORD.EXE_6156_2428_1371.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400571_WINWORD.EXE_6156_2428_1370.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400571_WINWORD.EXE_6156_2428_1369.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400572_WINWORD.EXE_6156_2428_1368.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400572_WINWORD.EXE_6156_2428_1367.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400573_WINWORD.EXE_6156_2428_1366.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400573_WINWORD.EXE_6156_2428_1365.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400573_WINWORD.EXE_6156_2428_1364.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400574_WINWORD.EXE_6156_2428_1363.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400574_WINWORD.EXE_6156_2428_1362.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400575_WINWORD.EXE_6156_2428_1361.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400575_WINWORD.EXE_6156_2428_1360.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400576_WINWORD.EXE_6156_2428_1359.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400576_WINWORD.EXE_6156_2428_1358.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400577_WINWORD.EXE_6156_2428_1357.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400577_WINWORD.EXE_6156_2428_1356.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400578_WINWORD.EXE_6156_2428_1355.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400578_WINWORD.EXE_6156_2428_1354.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400578_WINWORD.EXE_6156_2428_1353.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400579_WINWORD.EXE_6156_2428_1352.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400580_WINWORD.EXE_6156_2428_1351.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400580_WINWORD.EXE_6156_2428_1350.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002496811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF42061EA713E3EC77EDF1CE8EC166BC,SHA256=BA47C000D2E150CF9DBD41F96B617981310DDABE6D83AA0CE59863DA30F57D88falsefalse - insufficient disk space 11241100x80000000000000002496810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400581_WINWORD.EXE_6156_2428_1349.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400581_WINWORD.EXE_6156_2428_1348.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400582_WINWORD.EXE_6156_2428_1347.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400583_WINWORD.EXE_6156_2428_1346.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400583_WINWORD.EXE_6156_2428_1345.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400584_WINWORD.EXE_6156_2428_1344.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.008{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400584_WINWORD.EXE_6156_2428_1343.dmp2021-04-22 17:57:50.008 11241100x80000000000000002496803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400585_WINWORD.EXE_6156_2428_1342.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400585_WINWORD.EXE_6156_2428_1341.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400586_WINWORD.EXE_6156_2428_1340.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400586_WINWORD.EXE_6156_2428_1339.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400586_WINWORD.EXE_6156_2428_1338.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400587_WINWORD.EXE_6156_2428_1337.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400587_WINWORD.EXE_6156_2428_1336.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400588_WINWORD.EXE_6156_2428_1335.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400588_WINWORD.EXE_6156_2428_1334.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400589_WINWORD.EXE_6156_2428_1333.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400589_WINWORD.EXE_6156_2428_1332.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400590_WINWORD.EXE_6156_2428_1331.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400590_WINWORD.EXE_6156_2428_1330.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400590_WINWORD.EXE_6156_2428_1329.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400591_WINWORD.EXE_6156_2428_1328.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400591_WINWORD.EXE_6156_2428_1327.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400592_WINWORD.EXE_6156_2428_1326.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400592_WINWORD.EXE_6156_2428_1325.dmp2021-04-22 17:57:49.992 11241100x80000000000000002496785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.992{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88400593_WINWORD.EXE_6156_2428_1324.dmp2021-04-22 17:57:49.992 13241300x80000000000000002497281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:51.738{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\General\LastAutoSavePurgeTimeDWORD (0x019bc315) 11241100x80000000000000002497280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:51.239{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:51.239{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0F5AEE3B4F410B34C58E637A51BCD6,SHA256=0C39C74C273FC6761CD69F527C3049D2C28E73D3BDFCC318953628DE0D38CBDAfalsefalse - insufficient disk space 354300x80000000000000001550737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:46.185{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19384-false10.0.1.12-8089- 354300x80000000000000001550736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:45.574{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19383-false10.0.1.12-8000- 10341000x80000000000000001550735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.277{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B91F-6081-1A85-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.275{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.275{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.275{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.275{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.274{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-B91F-6081-1A85-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.274{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B91F-6081-1A85-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.273{761B69BB-B91F-6081-1A85-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001550727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.245{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.186{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE500B77F9BDA0B32C9A7E286A2156A,SHA256=4CAC2256853FCAA0B9D53BE11D497E8F7806358B4E9A5552F3DB5138D2931BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:51.037{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F068C7DE0B56FD83D29A8D1FC274EDE2,SHA256=5291F58852766DD31A5EDFE0E158EB5A15B2948368796E73468F41B511CC2DCE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.423{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E\VirtualDesktopBinary Data 12241200x80000000000000002497299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:52.423{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E 13241300x80000000000000002497298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.369{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:52.369{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002497296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.369{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.369{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.369{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=052C8CE20DE8F53654146519D9FCDE9B,SHA256=48E70E24C8F95F152853C394D098CB399D6816CF1FF2433B58FA8F747BE6086Bfalsefalse - insufficient disk space 13241300x80000000000000002497293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.369{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000002497292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.369{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 534500x80000000000000002497291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.369{21761711-B91E-6081-9D86-00000000BB01}7428C:\Windows\System32\conhost.exe 12241200x80000000000000002497290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:57:52.353{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001E049E 13241300x80000000000000002497289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.353{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:52.353{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\pfpevcg.rkrBinary Data 10341000x80000000000000002497287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.353{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.353{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002497285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.353{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe 824800x80000000000000002497284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.353{21761711-84C5-607D-E100-00000000BB01}3220C:\Windows\System32\csrss.exe{21761711-B91D-6081-9C86-00000000BB01}4868C:\Windows\SysWOW64\cscript.exe31400x00000000769638A0C:\Windows\System32\KERNELBASE.dll- 11241100x80000000000000002497283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.254{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:52.254{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E1CBCB00EF6CDEC8B7718B9206FD71,SHA256=69BE64106E4DFFED48D2DAF76A1AF2A18BC066C59A8F91B34435882EB602BFF4falsefalse - insufficient disk space 23542300x80000000000000001550742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:52.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875AA12EF1E1C8325D0734B18B222910,SHA256=485A9C481196274C291E54EFBD353ADEC459DDB526D9BCAA6B7FC2E1EE753C55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:52.246{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:52.246{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:52.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C0867B4399708D8974F18CDE9DB213,SHA256=689766D5E964A8E513A2A7E95C279A257F5A0F23D6B976672A6E6EC26D350135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:52.179{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABDB8F347FFDE3E3315B87B4CE023423,SHA256=06345191FC321FE55145D2D142DA51EEBC6FD0141A64A841C5FA54F1B5DFEED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002497314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:50.712{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50214-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002497313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.371{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.371{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D00B081E78D1276D22A1593256F7881,SHA256=F0B347C8D196F64D44706FDDFDFE98F57C6D57893C0F958E8B904B0E89856DFFfalsefalse - insufficient disk space 11241100x80000000000000002497311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.324{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.324{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F5233841D245545284AA18047C5A29,SHA256=17E0AB436A1F6364C3962609F0817D6A45A7EE3793E669B2D56A47D76DE96654falsefalse - insufficient disk space 13241300x80000000000000002497309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:53.324{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011062A\VirtualDesktopBinary Data 12241200x80000000000000002497308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:53.324{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011062A 10341000x80000000000000001550745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:53.246{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:53.246{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:53.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D56F714FE86537B6125E7C2843A604,SHA256=C2A98D93EF4622DD6020EE0764F4C7611B422E802E2D02C5CD1C30C5768193A3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:53.308{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:53.308{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.308{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:53.271{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:53.271{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:53.271{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002497301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:49.742{21761711-B91D-6081-9C86-00000000BB01}4868<unknown process>WIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50213-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000002497324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:54.926{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:54.873{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C0630\VirtualDesktopBinary Data 12241200x80000000000000002497322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:54.873{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C0630 13241300x80000000000000002497321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:54.810{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:54.810{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 23542300x80000000000000002497319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:54.810{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4DBCFB72-B156-4C91-9A6B-A9428C57F6B2}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000002497318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:54.810{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~$_doc1_rundll32.dotmMD5=A0187E3B49FCD8F890CA10CF73006D8E,SHA256=6ECBD22897A1EA05A6DA4336FF99137046A6E0E1F23ABA8A90D9164162205FC6falsefalse - insufficient disk space 13241300x80000000000000002497317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:54.794{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Toolbars\Settings\Microsoft WordBinary Data 11241100x80000000000000002497316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:54.325{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:54.325{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1799A678C087AA0AFD8371BDF6471D5,SHA256=748A86642F9B984CCE2D752250BE3D17EA817F504431E0DA03CE39AB8BDF7C56falsefalse - insufficient disk space 10341000x80000000000000001550748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:54.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:54.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:54.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4152C59D8FD087DDF839BB02F8DF6043,SHA256=D54269CD3DDD1AB2B171C56379CC46DCC14C0EB1BB936F3EB52E859B2625A72D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:55.374{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:55.374{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000002497326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:55.327{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:55.327{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DD1373F366913B011E9AC454ADFC92,SHA256=6A100D86626DB70E3C38F56C7AD45AAD51A377BE2392618E9190949F87D2CF61falsefalse - insufficient disk space 10341000x80000000000000001550760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.868{761B69BB-B923-6081-1B85-00000000BA01}5882196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.724{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B923-6081-1B85-00000000BA01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.722{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.722{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.722{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.722{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.721{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-B923-6081-1B85-00000000BA01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.721{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B923-6081-1B85-00000000BA01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.721{761B69BB-B923-6081-1B85-00000000BA01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001550751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:55.229{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36B52678C42E504E013747118520CC2,SHA256=17D88596031FE0E42124860C65D08A9234268C3AD8EBE20DD2A26D2E65496044,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:56.444{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:56.444{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CB8BD620AFC96BA2AE955937CF34D5,SHA256=8CDFD8C25E2C568CFBFB0BB3CDBE97CD20850B50C16A963A275C29CDDE948B37falsefalse - insufficient disk space 354300x80000000000000001550773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:50.710{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19385-false10.0.1.12-8000- 10341000x80000000000000001550772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.364{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B924-6081-1C85-00000000BA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.363{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.363{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.362{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.362{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.362{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-B924-6081-1C85-00000000BA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.362{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B924-6081-1C85-00000000BA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.362{761B69BB-B924-6081-1C85-00000000BA01}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001550764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.247{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.242{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F898F27813F1C54A9064F78CA558DC8,SHA256=285FF221830EA2D1B4CA8108BD9D43C8279069BC83B5270A511E15441065DDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.196{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A8F234E7B9A5DD4E74130C0546961F6,SHA256=8DA7709E307C28EC621D5F196BA92948C098E37A514BB6BFBF674D291B6EDD47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:57.630{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:57.630{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E4973FE38FFD623C3B65F40A383656,SHA256=D6333BE5743A5F6DE486E38E9892873A2E0FF4BBCD4A549E7F1820914CDD7D0Dfalsefalse - insufficient disk space 23542300x80000000000000001550786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.386{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31B2305ED0911B09C092737BF6F0E11F,SHA256=4E5B9C45D91A33EF29092BE538C974C514141B522DFD25028B2D2D4202F1D500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.252{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B8AEBCFF39E894492B2EB2F4999F16,SHA256=BDE1F6AB22F645DD230CD9D25A54C8AC5721BAE459BBADC1D2EA39166CB5D73E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.248{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.248{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:57.531{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:57.531{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:57.531{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.175{761B69BB-B925-6081-1D85-00000000BA01}52482372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.030{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B925-6081-1D85-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.028{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.028{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.028{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.027{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.027{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-B925-6081-1D85-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.027{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B925-6081-1D85-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:57.026{761B69BB-B925-6081-1D85-00000000BA01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002497347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.764{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.764{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BB7E56D488FD486736C83880FBBFA0,SHA256=AB9B79B6F33FC197D66B9D5012AA2F05BF88520A4D036F8F2C471955A5CF9E7Ffalsefalse - insufficient disk space 23542300x80000000000000001550789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:58.252{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E40199C93ED37A3ED2E693CF96B10A,SHA256=B4C43D0D3A4759D2F06270932E7CFD993B11089B0093D232D29FA1663B8A7AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:58.249{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:58.249{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:58.394{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001104FE\VirtualDesktopBinary Data 12241200x80000000000000002497344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:58.394{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001104FE 13241300x80000000000000002497343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:58.316{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:58.316{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.316{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F217933688B25CE980AEFA524647D4E2,SHA256=4E6A009E71688846DB79C0CE695164315B3B05CF588B289C1592FD46A5045EC0falsefalse - insufficient disk space 10341000x80000000000000002497338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.096{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.095{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:58.095{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002497449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.999{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA6D1BE875BFBC5631DB8A48E976B4E,SHA256=5CF8E15EDC19D6798561F482C642EC9C422DD5B155E0AB6362F6B9AEEBD63C37falsefalse - insufficient disk space 23542300x80000000000000001550792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:59.257{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DFB4D7A0166D4CC018D3C193D900C0,SHA256=FF12FCFF3A1DCC950F3C2F0F3BEE431CC873B31420096E192F4590C7E090E5F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.597{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B0496\VirtualDesktopBinary Data 12241200x80000000000000002497447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:59.597{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B0496 13241300x80000000000000002497446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150264\VirtualDesktopBinary Data 12241200x80000000000000002497445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:59.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150264 10341000x80000000000000002497444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 534500x80000000000000002497441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.534{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exe 13241300x80000000000000002497440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pfpevcg.rkrBinary Data 10341000x80000000000000002497438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.534{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002497436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.534{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exe 12241200x80000000000000002497435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:59.534{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows Script Host\Settings 10341000x80000000000000002497434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-83AE-607D-1600-00000000BB01}11082420C:\Windows\system32\svchost.exe{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002497430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002497428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000002497427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 13241300x80000000000000002497413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.519{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.519{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.519{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 13241300x80000000000000002497404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000002497402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37843628C:\Windows\Explorer.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000002497394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000002497393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-83AE-607D-1600-00000000BB01}11082420C:\Windows\system32\svchost.exe{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000002497390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000002497389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000002497387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000002497385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000002497384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000002497383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000002497382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.503{21761711-B927-6081-9F86-00000000BB01}78165780C:\Windows\system32\conhost.exe{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.501{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000002497380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.501{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.500{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000002497378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.500{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.500{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.499{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000002497375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.499{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.499{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.498{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.498{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.498{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.498{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.497{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000002497366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000002497365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000002497364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000002497360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.493{21761711-B927-6081-9F86-00000000BB01}7816C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.execscript.exe 734700x80000000000000002497359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exeMD5=8552F94CFD39A4C307BCD1BD88D41604,SHA256=6216383428EAB3292C5590C70D24B33A7D84FBF1C463E331C40F052E6EA356FEtrueMicrosoft WindowsValid 10341000x80000000000000002497355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B7F2-6081-6F86-00000000BB01}61562428C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\SYSTEM32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(0000014832C2644A) 154100x80000000000000002497353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.490{21761711-B927-6081-9E86-00000000BB01}7416C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.execscript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=8552F94CFD39A4C307BCD1BD88D41604,SHA256=6216383428EAB3292C5590C70D24B33A7D84FBF1C463E331C40F052E6EA356FE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\asr_atomic.dotm 11241100x80000000000000002497352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-88391103_WINWORD.EXE_6156_2428_1678.dmp2021-04-22 17:57:59.481 13241300x80000000000000002497351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.481{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:57:59.481{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.481{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002497348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:56.686{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50215-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:59.250{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:59.250{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.727{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B928-6081-1F85-00000000BA01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.725{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.725{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.725{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.725{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.724{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-B928-6081-1F85-00000000BA01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.724{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B928-6081-1F85-00000000BA01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.724{761B69BB-B928-6081-1F85-00000000BA01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.266{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC2D73A9146D18F0FA70F5720549503,SHA256=AB173F92E72397BA580F29152688190D9D1BFEFC4CB91650F47A63B9D52CDD25,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:00.750{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000160264\VirtualDesktopBinary Data 12241200x80000000000000002497458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:00.750{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000160264 13241300x80000000000000002497457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:00.666{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:00.666{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:00.666{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:00.500{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:00.500{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64173112E19810E7148DDA05F59232A4,SHA256=F0E041711C86FFFC4003FF7FF13CBC118FDB9CE102A0B05CBC5071DD42C292B4falsefalse - insufficient disk space 11241100x80000000000000002497452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:00.018{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:00.018{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FE8BF9BA0092EFC1F37C4D08DAA853,SHA256=E889B25C78D269436874EB8BA84AA4E5FA77D014CB5F04F8AF80403715D48E9Afalsefalse - insufficient disk space 11241100x80000000000000002497450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:57:59.999{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 10341000x80000000000000001550803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.251{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.251{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.210{761B69BB-B928-6081-1E85-00000000BA01}37165480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.060{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B928-6081-1E85-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-B928-6081-1E85-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.058{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B928-6081-1E85-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:00.057{761B69BB-B928-6081-1E85-00000000BA01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001550825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.543{761B69BB-B929-6081-2085-00000000BA01}6992308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.390{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-B929-6081-2085-00000000BA01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.389{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.389{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.389{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.388{761B69BB-818C-607D-0C00-00000000BA01}8446848C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.388{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-B929-6081-2085-00000000BA01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.388{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-B929-6081-2085-00000000BA01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.388{761B69BB-B929-6081-2085-00000000BA01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001550816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.276{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D664286ECA59153FCAC04AD452D393DC,SHA256=078BDBB67653E8C8F441F763A2FF85F30F8F5F8512F1FE078A46861944374ECC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:01.004{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:01.004{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C46BDC07031319F54AF5F3F03753A2,SHA256=F9EFB215E754932953843BF91F028C770332FE3BA00CEB01B21108E4F96DFC76falsefalse - insufficient disk space 10341000x80000000000000001550815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.251{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.251{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.062{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76C3D075F85FA5181BE6DFA822B58DDF,SHA256=F8EBB0EB8FF69396E0298EA351B496B32CEE8BB06DD9AA33CFD8426835134972,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:57:56.610{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19386-false10.0.1.12-8000- 23542300x80000000000000001550829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:02.290{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07674D65A68CA8DFC0E8E080A6FF011A,SHA256=5D1E936DA5D6E69591AA7E0EEE6C580B5A150F4F0BEDFCFF6EBCBB38C94EA9F4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:02.537{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:02.537{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000002497463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:02.184{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:02.184{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11D122B4FF20341F274AD0B66100BCB,SHA256=B8F76CBB938812623C10C0C3DC1225E503B263F2C8F87010ABB5393356CC4444falsefalse - insufficient disk space 10341000x80000000000000001550828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:02.252{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:02.252{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:02.074{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3075E85EC293882A407A80DBC87EDC63,SHA256=B99085F806F47D2A30C8C63BB1D205B95C7CF7165A9988E57656096DDB313986,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:03.237{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:03.237{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC868EB3A0338498E9999A389662948,SHA256=EB162635BB5E7BC276BB7C0946AB76BF34A432A22E8CC3B5AFA742FAEB3E35B0falsefalse - insufficient disk space 23542300x80000000000000001550833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:03.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B940B4FC35A4849C9F7C52F2DF6D2FCE,SHA256=E2A092F422D309D929624040DF273A7E2C10DBCA7B027DEE9738B48AC3747987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:03.253{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:03.253{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 254200x80000000000000002497523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.369{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1619113971087705400_71378B35-CAB8-480C-B391-3AAC871C8D49.log2021-04-22 17:52:51.0862021-04-22 17:52:51.086 11241100x80000000000000002497522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000002497521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 13241300x80000000000000002497520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0Binary Data 11241100x80000000000000002497519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json2021-04-19 17:20:23.952 23542300x80000000000000002497518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=6D84CEE6D5BB054054BE87D1056E8D95,SHA256=2A25607260860071A6C809F63DF347A83424DAA3386FCC0239024481460A2D1Efalsefalse - insufficient disk space 11241100x80000000000000002497517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json2021-04-19 17:20:23.952 23542300x80000000000000002497516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=536AD5104BF69553F6798611F34928AB,SHA256=FC9F0B5E89246B67178A66C1B6FDF68F07F24549D53592B098C1DDDAE63EA726falsefalse - insufficient disk space 11241100x80000000000000002497515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000002497514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 11241100x80000000000000002497513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json2021-04-19 17:20:23.952 23542300x80000000000000002497512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsefalse - insufficient disk space 11241100x80000000000000002497511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json2021-04-19 17:20:23.952 23542300x80000000000000002497510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31falsefalse - insufficient disk space 13241300x80000000000000002497509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0Binary Data 23542300x80000000000000002497508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B1D0C5BE-F99C-40BF-9EC6-D00587FB1913}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsefalse - insufficient disk space 23542300x80000000000000002497507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FFBA5117-8D16-4B8F-A0BA-200AD27E0626}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsefalse - insufficient disk space 13241300x80000000000000002497506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.354{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\OBGroupMembersDWORD (0x00000000) 13241300x80000000000000002497505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.322{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000110578\VirtualDesktopBinary Data 12241200x80000000000000002497504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:04.322{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000110578 11241100x80000000000000002497503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9494382DC0E8D89E25EA24CF20CAB761,SHA256=82E3180CC5D9024691922CDB8F4B04F40CD4B91056621E267FB148E72239165Cfalsefalse - insufficient disk space 13241300x80000000000000002497501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.269{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B0324\VirtualDesktopBinary Data 12241200x80000000000000002497500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:04.269{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B0324 23542300x80000000000000001550836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:04.298{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8260B77C6897F4AB4ED20B2275600015,SHA256=7E23A7F875A89306D72F6F6D40CDAAF51F9DD4D47E3834966CBA7A4F3A6C6CB9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002497499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\UIBinary Data 13241300x80000000000000002497498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\Toolbars\Settings\Microsoft Visual BasicBinary Data 12241200x80000000000000002497497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:58:04.253{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011062A 13241300x80000000000000002497496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\DockBinary Data 12241200x80000000000000002497495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlMSWebBrowserArchiteturePersistenceIssue 12241200x80000000000000002497494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlArchitetureIndependent 23542300x80000000000000002497493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{41BB8CD3-0E37-4EBB-8CFD-5C10DF8D93B0}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsefalse - insufficient disk space 23542300x80000000000000002497492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B12C2377-AE62-46A8-ABA0-251414D95F00}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000002497491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{57B20DF7-9CAF-44A5-B527-8D157A09E935}.tmpMD5=830FBF83999E052538EAF156AB6ECB17,SHA256=D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869falsefalse - insufficient disk space 23542300x80000000000000002497490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=46278275369CC8C8A0F84A01948E69C4,SHA256=BA0FD16037B1D4703775883B16166F23FBE6333F78B37346811F9403B91129CFfalsefalse - insufficient disk space 13241300x80000000000000002497489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0Binary Data 12241200x80000000000000002497488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:58:04.253{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B0324 13241300x80000000000000002497487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.253{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0Binary Data 13241300x80000000000000002497486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.222{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000002497485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:04.222{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 11241100x80000000000000002497484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D49187BD84D511F17533257F8BC14888,SHA256=F5FBEF7EC154CBCA05F3FCF06DB0E5DF512E596B13BD06CC38AC371CB718731Dfalsefalse - insufficient disk space 13241300x80000000000000002497482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.206{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000002497481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.206{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.206{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000002497479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.169{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0Binary Data 13241300x80000000000000002497478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.169{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Data\SettingsBinary Data 13241300x80000000000000002497477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000170264\VirtualDesktopBinary Data 12241200x80000000000000002497476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:04.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000170264 12241200x80000000000000002497475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:58:04.137{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C0630 23542300x80000000000000002497474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.122{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~$r_atomic.dotmMD5=B040C3A0D490E1C2B5864E03E44C66F7,SHA256=EFF2146A2C8803F676544DCF0A21FF5FF443EE67B8BA7BDE42C3D2C3433B9785falsefalse - insufficient disk space 23542300x80000000000000002497473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.122{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{381CF712-AE97-4AF9-B482-E11AE9AC9130}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000002497472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.122{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{53B38D02-2AC7-40AD-88F0-F04F37B1E7AE}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000002497471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.106{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~WRL0003.tmpMD5=013EE226A64786A0750531C36DE81737,SHA256=8CADAE092463DFFA75079CB6B38BBC634DCADBFB1C4991650DA34B63056FD4D2falsefalse - insufficient disk space 13241300x80000000000000002497470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.104{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:04.104{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000002497468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.103{21761711-84C9-607D-F200-00000000BB01}37846732C:\Windows\Explorer.EXE{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:04.254{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:04.254{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:05.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864C4664AE85D53B197B264AFC47D95A,SHA256=2EBAC98D92C943F72ED39C5828FA578FAD142E304A204DB226DA8F0966D17DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002497537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:02.676{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50216-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000002497536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.386{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 734700x80000000000000002497535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.386{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 23542300x80000000000000002497534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.386{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{7BD83791-F627-4BFD-A170-C78BB538942F}.tmpMD5=41CA8DCB42DCCBB6FD7D1312042083E9,SHA256=FF3E58AC8879F4A303C1C8AF75CB4A7B6469C15B510A1EA3A48F261A7CB03BDFfalsefalse - insufficient disk space 11241100x80000000000000002497533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.370{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.370{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86E696F26D6DA7FC5649F455AB81D046,SHA256=22E6ABFC1EA92042A386DA1EBDB0722E1B8017A009A26D6310773146B97A9162falsefalse - insufficient disk space 12241200x80000000000000002497531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156 12241200x80000000000000002497530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6156\0 13241300x80000000000000002497529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\6156\0Binary Data 12241200x80000000000000002497528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\6156 23542300x80000000000000002497527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=18E62D19D0C06D4B474E8067942E53E8,SHA256=BB52AE6C1EF78A2BF2C779D826A49057E0369386EA654DE26102BE5C0F7C6F20falsefalse - insufficient disk space 23542300x80000000000000002497526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.355{21761711-B7F2-6081-6F86-00000000BB01}6156WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=312DC97F385BBE0DF4BE0220476995CE,SHA256=EE18D598D550B7544256FED039468C01C3093DD534F7E4EC2C3483B2DE246F7Cfalsefalse - insufficient disk space 11241100x80000000000000002497525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.286{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:05.286{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD931E9A6C7076E85A53E09E352FD75E,SHA256=B18759537AFF57E5319AB65337368F477BE203A6791ABC85E99069D037A56826falsefalse - insufficient disk space 10341000x80000000000000001550838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:05.254{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:05.254{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:06.312{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFF225173618D6D45BC7121229F6316,SHA256=E38CF1409719E3617065829C5019D09940B87CAF5D6C50AF9A035AA38BD31C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002497542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:04.021{21761711-B7F2-6081-6F86-00000000BB01}6156C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50217-false52.114.20.14-443https 11241100x80000000000000002497541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:06.407{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:06.407{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C13F6E256731F67BBB657D4DFA83CFE,SHA256=37C5F73EB8059196BDA9EEF78EFAF6E24E25500330CFB6297CB646CA88E8CE15falsefalse - insufficient disk space 11241100x80000000000000002497539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:06.287{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:06.287{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784212B807E73C10804719AFF69F2B66,SHA256=6CF974627C1AA42BDB672ABB454AEBAA092B8361FB526C5EC119ED3A408049BEfalsefalse - insufficient disk space 10341000x80000000000000001550841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:06.255{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:06.255{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:07.357{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:07.357{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7955B5E9C86A8C59A2EB48A63B566865,SHA256=F6898C10B1D1DF620CB639A2E9000A4A0D02A1850CBF8C68C83F56A1FE9EFEEAfalsefalse - insufficient disk space 354300x80000000000000001550848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:01.745{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19387-false10.0.1.12-8000- 23542300x80000000000000001550847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.352{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9B957B32C2E447A11FE3FC21CF347C,SHA256=5D4CC73C1CB8F292B568B58ADFE3F9071B1F25E764B14890EF592C18B1921099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.351{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3504938775CCDB1D543BBD2F2AEFBA3A,SHA256=CD18DCC20A6EDD6679E50F07B5B9FF5A4B66ECE014FD256A53CAF240A14C22CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.314{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F5DAA537FD7F1A198901FF5A258876,SHA256=6EE680F093A5ADD4EA732B762E3736A5240A3DDBAEA27DA6CC0F8655C47A5E6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.256{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.256{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000002497544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:07.226{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000002497543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 17:58:07.226{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x80000000000000002497548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:08.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:08.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07F2AF11D685238FFCC59ADAB9219BD,SHA256=8924D51317C52C00865F760C7968C19542F03D61C20276A7A42FBC64ABD2AFABfalsefalse - insufficient disk space 23542300x80000000000000001550853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:08.953{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9B957B32C2E447A11FE3FC21CF347C,SHA256=5D4CC73C1CB8F292B568B58ADFE3F9071B1F25E764B14890EF592C18B1921099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:08.931{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=13F969FD82F0CC7E71D7BAEB9E8C1972,SHA256=F1508BA996DE54B64EC493308EC9715069AF135511EAC2C52F2E41BED8C2E3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:08.319{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B875EAA900AE87035B7936814D27EF7,SHA256=C521C00BBE03A47AABAC324269A930CFDB2AB8D942FE1510A8C0C19478C10215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:08.257{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:08.257{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002497553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:07.680{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50218-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002497552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:09.391{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:09.391{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E043F0691AC1B414CBC756F7D476A3DC,SHA256=15B5EAD20758D872C64D3094E1F54972A398AE9E70C1754896BAA5EBCC7C059Cfalsefalse - insufficient disk space 11241100x80000000000000002497550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:09.360{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:09.360{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446EA7CBE2493A8E5DD0B34A6D420E5D,SHA256=C8719C01192AD34276F0D63B2289B49002E2A9F6BA788AEB5C76BA682A1EAC88falsefalse - insufficient disk space 23542300x80000000000000001550856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:09.329{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEDF52CBE8739E7BAF97530EE4237BD,SHA256=F83A5D8D9DC0AAA882BA0C75533FB827C3DEBAE680F8293676D385C01FB339A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:09.258{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:09.258{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:10.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:10.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31503F86AFFEFC2F483B36622DFD2417,SHA256=C9C46A93FF0B7B8AD73675F5D0D4B9E7345F08425C2ABB3332C2387B90B56E94falsefalse - insufficient disk space 23542300x80000000000000001550860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:10.335{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBBCE8094FC7BF9F6045EA69DCC0CFE,SHA256=C0C35FBDF444544CE15E0391F79434B7F121CEA5659CBCE98F5E8F2C28570D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:10.259{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:10.259{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:03.411{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19388-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002497557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:11.592{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:11.592{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C003E0FF1295C341C67C3D4F2F34D5D0,SHA256=2F2F1E9A5C63F8835F3B512A49AEE584D788108BFDFE218640E563FF62D5DAB3falsefalse - insufficient disk space 23542300x80000000000000001550863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:11.337{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D4ECADD7CDDE8BADA9938DF8C6041C,SHA256=CFF8463A73F7F1E09819D70361756362A1DAC77BC22DB32780EB6C0B1062CD70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:11.260{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:11.260{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000002497615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.694{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002497614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.694{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.694{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.694{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002497611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.647{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.647{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2777A6B20AD556D78D498A0DA5C44203,SHA256=FE0DC4B6ECC18E6077195BD5ECE7C28C09AC460DA80507D46578D2D51412D3C9falsefalse - insufficient disk space 23542300x80000000000000001550866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:12.343{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0ADD38CAFAAE8116B1D966D5F21A17,SHA256=ECC88CCBF5571E05717CC2CD246CFA471802AAEC3961A2606BF517E77829701A,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000002497609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.578{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002497605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000002497603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000002497572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002497571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000002497566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.563{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.548{21761711-B934-6081-A086-00000000BB01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:12.547{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001550865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:12.261{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:12.261{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:13.648{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:13.648{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C74736261C681E79EC6E3FF8237B87A,SHA256=E8F9BE4AC101CE5BDCBFB8D4D56911F01F87E2E3FFB1BA393BC0325C28DCCC46falsefalse - insufficient disk space 23542300x80000000000000001550870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:13.354{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E70C84593EF6F4E9DA7341E6228E6DF,SHA256=040E3FBD01C4CF083C94829989BFF4CEC1E0EE09779671B515CEA418E1D1CDAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:13.548{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:13.548{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209160F3C60007347F171F419732A204,SHA256=1B1370BE517C60208ED0319247CAB5C4F2D0D89055DB1CAD35717880195501EDfalsefalse - insufficient disk space 10341000x80000000000000001550869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:13.262{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:13.262{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:13.102{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8657426B55A62559D7F04E6A39F58BD2,SHA256=B08567B625C8C6A1F59344CD11E19BBDC2855056FEC06BBE38910CB67463BC71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.765{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.765{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21694ADE80054B833A7F8804232F1ED,SHA256=2EF4247BF7957E2B983CB30D7006DFEFFE76358315A709ECA681CCDFDEDFDB5Efalsefalse - insufficient disk space 23542300x80000000000000001550874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:14.357{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84F952360D961D1BEA60C08F9C02536,SHA256=DE9546F30BDBC522F7ECB4DD86E137919E54FE6173261F648C08E55AA99FC070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002497623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.033{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF1071431b.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000002497622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.033{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RF1071431b.TMP2021-04-22 17:58:14.033 254200x80000000000000002497621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.033{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1qtkpwz5.tmp2021-04-20 20:22:02.3742021-04-22 17:58:14.033 11241100x80000000000000002497620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:14.033{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1qtkpwz5.tmp2021-04-22 17:58:14.033 10341000x80000000000000001550873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:14.263{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:14.263{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:07.638{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19389-false10.0.1.12-8000- 11241100x80000000000000002497628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:15.781{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:15.781{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AA6C04183C4CCEC9EB53539BA3BBFC,SHA256=5BF9D881DD9B29AAD39CF9E874465BC73DF06FDA4DE0B0CB49889EFD2496C1A8falsefalse - insufficient disk space 23542300x80000000000000001550877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:15.360{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3C48D8E81E42C2BB67907BF486D4CF,SHA256=FD8270270CA6CA255BCC129CD4065D2027195339D22D7AB47902EEDA4647E061,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002497626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:12.705{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50219-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:15.263{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:15.263{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.967{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.967{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.967{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:16.967{21761711-B938-6081-A186-00000000BB01}4540\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002497678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.967{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002497676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002497644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002497639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.952{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.937{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:16.936{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002497630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.816{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:16.816{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC126C9FF3BBEC170BF7EE0C68D2A5D,SHA256=A72CB8852B6EEFBC07DDB6BC04AB4BD17CDB58500EE5BE95F386AF75654009FCfalsefalse - insufficient disk space 23542300x80000000000000001550880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:16.374{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03686E73264438F498938F618ED2C592,SHA256=3A409E531779C25A1ABDF6BEB2A318A0F93EF1021B1628A60BF1B4D45B710666,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:16.264{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:16.264{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.917{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.917{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4747A64F2BC5B70817F618BA164B32,SHA256=36128443959A17AC56298EAC477CD794FDA6362CDC09029A81E4B23A2FDC52B6falsefalse - insufficient disk space 23542300x80000000000000001550883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:17.387{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E48B946D391C37BD0B17CA4F4D570D,SHA256=DBE7B7B71F99A62C59F1EC6F921634909EDCB945D46AFB33916417EF15EB0694,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002497748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.783{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002497747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.783{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.783{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.783{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002497744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.683{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.683{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73303D08899BF79E914F8F307861E39C,SHA256=D13A5A41654D688F606E2BE8E0FB9E7B9DB2C5CD56EC056CE2F683914E98B1F8falsefalse - insufficient disk space 734700x80000000000000002497742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.667{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.667{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.667{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:17.667{21761711-B939-6081-A286-00000000BB01}2200\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002497738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.667{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002497736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002497731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002497710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002497706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000002497705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002497704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002497700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002497695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.652{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.637{21761711-B939-6081-A286-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:17.636{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002497686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.083{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002497685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.083{21761711-B938-6081-A186-00000000BB01}45401292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.083{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:17.083{21761711-B938-6081-A186-00000000BB01}4540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001550882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:17.265{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:17.265{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.596{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EE6E8C65D46897B9F724CE2F2C07C6,SHA256=8D4656A412163F6E178693C7BA10E7252F9C223151448AF2A136C788933480BE,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002497808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.484{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.484{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002497806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.484{21761711-B93A-6081-A386-00000000BB01}79843300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.484{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.484{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002497803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.368{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002497766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002497761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.353{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.338{21761711-B93A-6081-A386-00000000BB01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:18.337{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002497752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.020{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.020{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD232FC809F510DF4D141D886F5EF32,SHA256=48FD92E2F08A5A3DF8F8652EC9BCC308DF5A309BF207D195891290902DB37F02falsefalse - insufficient disk space 23542300x80000000000000001550887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.461{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D617E21E83325378D06CD801BCD519,SHA256=5D85512D8A99DCDA2566583F77762CD2417AF1BB5ED6D19309F3EEE605AD6B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.460{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3DF899DEC2714E0E6B57757DA9A042,SHA256=19EE94BD995FD38625D353E5561F6CC287268F55519B04CBD52425D12663D614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.266{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.266{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:19.606{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59720951E588CC2349A67AF313A351B,SHA256=23D13A0804A1F1F4B24D6D73E40D46F4637C78CAB896A770852E675746B8CEBC,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002497925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.869{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002497924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.869{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002497923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.869{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.869{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002497921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002497917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002497915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.738{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002497905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002497887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002497883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002497878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.722{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.717{21761711-B93B-6081-A586-00000000BB01}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.716{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002497869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.369{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.369{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48EE1D26E5AEFC3430B782A77594B7EF,SHA256=92F70E1EDEA21AE3E9E9BD598123980BAE69494E313E015159501E8DC5A2166Cfalsefalse - insufficient disk space 534500x80000000000000002497867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.184{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002497866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.184{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002497865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.184{21761711-B93B-6081-A486-00000000BB01}52005392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.184{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.184{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002497862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.137{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.137{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3473E9455342CA053E1A8194E0F4FF1,SHA256=A2344854207D143EC3268912F140E16BEA3198DDC1A66631BFFF9DDA5A4E3D0Bfalsefalse - insufficient disk space 734700x80000000000000002497860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.068{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000001550891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:19.267{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:19.267{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:12.771{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19390-false10.0.1.12-8000- 734700x80000000000000002497859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002497856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002497854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002497823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002497822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002497817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.053{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:19.038{21761711-B93B-6081-A486-00000000BB01}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:19.037{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001550896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:20.610{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E36AFDEE56150A5E5B6AA283952A266,SHA256=E70A706ADA6263CD982FEF0876857A4FAB8E705F8FC441BC2A3B024650D31D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002497986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:18.525{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50220-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002497985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.739{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.739{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3830231074CA06CC2C739A1BAF2A6FF8,SHA256=73745A01A1E0866D7930D7C65BC00409ABFB93342E598B6895858112666ED9B6falsefalse - insufficient disk space 534500x80000000000000002497983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.523{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.523{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002497981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.523{21761711-B93C-6081-A686-00000000BB01}44125944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.523{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002497979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.523{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002497978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002497977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002497976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002497975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002497973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002497972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002497971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002497970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002497969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002497968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002497967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002497966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002497965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002497964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002497963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002497962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002497961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002497960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002497959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002497958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002497957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002497956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002497955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002497954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002497953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002497952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002497951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002497950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002497949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002497948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002497947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002497946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002497945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002497944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002497943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002497942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002497941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002497940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002497939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002497938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002497937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002497936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002497935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.401{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002497934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.386{21761711-B93C-6081-A686-00000000BB01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002497933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002497929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002497928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 17:58:20.385{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002497927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.118{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:20.118{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25805A2425AE0A3F9AB6794449F99E13,SHA256=07E301809DE4084F4A069A5312B111FB6720E9AA683C9F66C879F8BCD3D9F9BFfalsefalse - insufficient disk space 13241300x80000000000000001550895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 17:58:20.337{761B69BB-818C-607D-1000-00000000BA01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d737a1-0x1477d033) 10341000x80000000000000001550894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:20.268{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:20.268{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:21.240{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:21.240{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBA35AF5122103C5E2E0077EBE99904,SHA256=24AF5458C84A4662D5561290DAAD62D221192EBF0D62347127DE26515B15CD14falsefalse - insufficient disk space 23542300x80000000000000001550900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:21.617{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16AC68602DD277A68B9D5901BDCF22A,SHA256=B95E6954B344B515332146C0BBAD488DC34E06738D98028299EEEC0F78960FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:21.493{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D617E21E83325378D06CD801BCD519,SHA256=5D85512D8A99DCDA2566583F77762CD2417AF1BB5ED6D19309F3EEE605AD6B07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:21.273{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:21.273{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:22.458{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:22.458{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1F622F1126835FFB85F702467CFE5D,SHA256=82FD7B0C3DC92C1DADEDB1C29CDCFB43CCAA650564039D5B8CDC0A90153C4F5Afalsefalse - insufficient disk space 23542300x80000000000000001550904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:22.620{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FD1AA0798DC87176CAD9B118DD26A4,SHA256=09B2C2D720EBFFF4793BCBFF0E2BE467432DFF7F62A92D1F34635573ED072426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:22.275{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:22.275{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:15.876{761B69BB-818C-607D-1000-00000000BA01}100C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-982.attackrange.local123ntpfalse169.254.169.123-123ntp 11241100x80000000000000002497994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:23.490{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:23.490{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB03A0F9CEA71E3E19D89FCBC05B2CD,SHA256=E82F1B7FB367B3DDAD7765292B484A3FAFB4AEE1EF6A9F93E2F238078BC143A2falsefalse - insufficient disk space 23542300x80000000000000001550907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:23.629{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCB3EBA716D626046083512B54F59BC,SHA256=0CD7F8B7D4DFB4B0A5DBA71DE9EC3B189BAE63D8BA3693B36551C20A7F370996,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:23.222{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000002497991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:23.221{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=716CD6DE97EFE1FA95132E1B7EB0386B,SHA256=35A8558CF3B6AEB7642AAAD97E6BB5F97344C62224417BE3D1E76D4C239F54C3falsefalse - insufficient disk space 10341000x80000000000000001550906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:23.276{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:23.276{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002497996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:24.606{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:24.606{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7956E533FD6B5C2327DCD68EAECC6148,SHA256=BA009B7F8A3B00BCFA6146E7953EA465CD7213C2BC351BBA70DA737152D4E7AAfalsefalse - insufficient disk space 23542300x80000000000000001550911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:24.632{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1D95EA098AB4370AF276EBD7E81801,SHA256=F44A66C09C236EB01E6F94E4FCC542A170D6513825EFD310CCD76CC7188F8692,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:24.277{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:24.277{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:24.116{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DE9B96744EF331CE98DD57A07CF5E4,SHA256=83570CFB50CE714CEA3A4033EEDBB44F8E3D4943F2B666746B3F9B7E521254B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002497998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:25.844{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002497997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:25.844{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D7B93308451AE923185BF11D7B45BB,SHA256=FA0491E472E61277297C264721F0C5A18BF37A9900C16534889283AC7E9E7579falsefalse - insufficient disk space 23542300x80000000000000001550916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:25.637{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6A8683DCF44FDF42F2CFECA10DBCEA,SHA256=718B97D2D01635E059497C86865CA0479F0B6746F1BF5574B9CC25945ADF7156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:25.278{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:25.278{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:19.369{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local19392-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001550912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:18.647{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19391-false10.0.1.12-8000- 11241100x80000000000000002498004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.926{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.925{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1A65DE23ABE6550F5F4598C617DEEE,SHA256=7CB3DDE39CEB592F50428D92895CC43977424C9A13C2D826CF9591B48ECE1EC2falsefalse - insufficient disk space 23542300x80000000000000001550919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:26.642{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9850813EFBAD2552D265109754C9647B,SHA256=8E451193DCBDA87D57EAD50C2FFF3C69C665BE033CF5AB5ED9994047822BABD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD6F29B374F4BCB35FA80065FC8E7E34,SHA256=6522373CC3B57AA898790C0A1F42B178612F4ADB16DC5856CAC5714871946A55falsefalse - insufficient disk space 11241100x80000000000000002498000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002497999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:26.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A2227143EE4EF298C3FE2642F468754,SHA256=7DDABBE6DE23FB0221BFA24AEA38DFD0845E97629F84B7BC98074C57B71F1A5Dfalsefalse - insufficient disk space 10341000x80000000000000001550918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:26.278{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:26.278{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:27.977{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:27.977{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEB3EFFE568EDC925C09CB3BDCC907D,SHA256=28C385025BE4DDA27A18E68EC5AABFE2733E57C02F670ECD866BA58A4C6C8001falsefalse - insufficient disk space 23542300x80000000000000001550922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:27.645{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F578CEC46F7AE69AE23BD9D34BFE8572,SHA256=EEC10BB815803C300446393A661DD6FD81AE2355AD1B7E7622A554B084ECB491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:27.279{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:27.279{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:28.979{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:28.979{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E340725737510F449673B1C3DFAB812E,SHA256=B45D11341118258290DF9F4EDCED61E6EF3B3F15807139F3354F52D3863B6F84falsefalse - insufficient disk space 23542300x80000000000000001550925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:28.648{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CC3B119F9D73571BA7B1DFF2F8B525,SHA256=21C54DEF278024EE4FDC419B2B986405BE1AAEAC6A300E4301646F0BA45C5FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002498007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:24.547{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50221-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:28.280{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:28.280{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:29.654{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2EAB8AC524948F866BA25CFA09F41F,SHA256=0DC918EE1710E1B41F5DD8A688C91C01230EC0233687269B2D263914802260FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:29.281{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:29.281{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:30.663{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A6D31E965CDFD92CDF9B4C251A2302,SHA256=F50B3DBD72D07CC073A53DB4072A0A4CF1E782E6A8B989142251ADCBB27D77C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:30.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:30.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB1C369C06C590A1BDF9ABEA9BD809F,SHA256=3D35D58AE2CD92A85323E4094E13C1FD1CFD71DFC1BD5C920DE601DE74BF362Efalsefalse - insufficient disk space 10341000x80000000000000001550932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:30.282{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:30.282{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:30.013{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290DA07F2EF66E1351AC279C21C6FA46,SHA256=45690D858334475A73D80B042392F1CAF330251BB522652A8085D7258550FB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:30.012{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A85F0D3F2E9A20502E3AEC608CEA2A8,SHA256=2E322E90D43A278F05669516F13DB874C1725ED2297321532CEFF2FA0E862BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:31.669{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3659248A568E1352AC384258F32B4363,SHA256=B37D873C68F9173CC4EEDBAC35E0FDE23A684CFD2C8453D57DD374265803A650,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.113{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9308963AC59484F4E8D7B95885B656,SHA256=C30C7F65A6932A0D6ACAB308A0A70DC013894A8BB8F17BB03662294D15F1049Cfalsefalse - insufficient disk space 10341000x80000000000000001550937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:31.283{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:31.283{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:24.542{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19393-false10.0.1.12-8000- 23542300x80000000000000001550934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:31.061{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290DA07F2EF66E1351AC279C21C6FA46,SHA256=45690D858334475A73D80B042392F1CAF330251BB522652A8085D7258550FB6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.097{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.097{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F43216A6DAF0BB05D0CF6CC56C70FDE3,SHA256=DD9BBF79B7BD3BBA6747C36F6799B5BB677B7CD3797F02A843AE2B7541B9CD41falsefalse - insufficient disk space 11241100x80000000000000002498013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.097{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:31.097{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD6F29B374F4BCB35FA80065FC8E7E34,SHA256=6522373CC3B57AA898790C0A1F42B178612F4ADB16DC5856CAC5714871946A55falsefalse - insufficient disk space 23542300x80000000000000001550943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:32.677{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2092BDD6A2F9EAF92B609F998EF04BD,SHA256=19A8B93AD48462E449EFE374CB302D06D0D659F45B53607BFCFCC9D554E33277,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015686EEF356A9CEF16AD1EAC600CE69,SHA256=AEF134043170DE18CC1255053DE3F5F387AF0087EDE6D985C660AE6CD11A0C36falsefalse - insufficient disk space 10341000x80000000000000001550942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:32.284{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:32.284{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001550940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:25.589{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19394-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001550939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:25.589{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local19394-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000002498018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:29.567{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50222-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001550946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:33.695{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F265732FCBA11B3F661CF28ADC80E07,SHA256=09651B0656CB5F36A32F444C88F6D21F759678BF7234DF592683E3290880FA9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:33.439{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:33.439{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17A0B3313A9734436C5B292C1DEB14C,SHA256=A0DDC0710728699A99D797E990486C26AAAA9CD009B4432AC5F2966F068A02D1falsefalse - insufficient disk space 10341000x80000000000000001550945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:33.285{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:33.285{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:34.603{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:34.603{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A809FEAB92EF6D2A8B3344FC885B786C,SHA256=D930EBEBC4F163C07F17782DDC8F33CB70CE0543EBB621BF5403BA9335AE38C9falsefalse - insufficient disk space 23542300x80000000000000001550949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:34.711{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D43C360C16A70429FCC85C714271D4,SHA256=419671943D9A899A9EC15ABCD03F1189437DBE9BFC2FBBFC090C726FC2FFED4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:34.286{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:34.286{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:35.714{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE42BFC7FB58697089A512CF44446326,SHA256=8BFE96D1EBFEC85CE658B887BD921A2E820D25A1F673B217D8DCEC19BBC42672,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:35.658{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:35.658{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B937136D89040C954510EB07E491CF,SHA256=515F049C07DED27F95896C60F8442C6ACDA15C2B55453B216AAC9C6BD4860657falsefalse - insufficient disk space 10341000x80000000000000001550952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:35.287{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:35.287{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:35.148{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1935232F5E1E673CA491C513922D1C5,SHA256=32E20B95FFC234765C62A68DE97AABF1CE1E7CDC6B153F8A39A36439B4E849CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.674{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.674{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0391087C2F8C19949913F0898A7C1506,SHA256=92BB639130C67DD113EA9EB1278EF1E92F8F30A3F155A81C29FBEC34B6560226falsefalse - insufficient disk space 23542300x80000000000000001550957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.718{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5996CAA266C3B642686B2528532C19,SHA256=827F0E7497D513B8B4FC67DA41F170E3C023352BE2B3B8FD9BCADF883E352BEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:29.672{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19395-false10.0.1.12-8000- 10341000x80000000000000001550955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.288{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.288{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F27F664A520DFF85D2B4C3C6D8FD19F,SHA256=F680C039ECFE9B941A5B2143D641F5D44647A6E7C1A2B09749FF68F2E5AE43FAfalsefalse - insufficient disk space 11241100x80000000000000002498028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:36.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F43216A6DAF0BB05D0CF6CC56C70FDE3,SHA256=DD9BBF79B7BD3BBA6747C36F6799B5BB677B7CD3797F02A843AE2B7541B9CD41falsefalse - insufficient disk space 11241100x80000000000000002498035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:37.676{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:37.676{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4412C1C9B0EB046CD3784CD2B18AE0,SHA256=729CD346F69AF4C62F1D14B50DA862288B94BEF728F13687D82C5858DB84F12Ffalsefalse - insufficient disk space 23542300x80000000000000001550960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:37.726{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D593E8CC2A42DCB561D9BF79908C0D51,SHA256=208F71C719ED2332EE8357CB85BBA13FFD67F817F6C5C1028D0046EEAB4C78A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002498033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:34.591{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50223-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001550959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:37.289{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:37.289{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:38.678{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:38.678{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B8BEDF184BE5D27DB3190A6CD2120F,SHA256=057445FD2535FDDEC57A9654DFBDEC2F30A719DAFB42234D33A0618D398A1223falsefalse - insufficient disk space 23542300x80000000000000001550963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:38.730{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8D65D4D26FCE141DE1C3AE2A8289AA,SHA256=71616918AE4B0B53DD3986B272455239E6DFFE70E3DE10F4BE2FD5E846500FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:38.290{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:38.290{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:39.680{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:39.680{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5175FB8A6B1FAAF0EC3CAA5CE6655F1D,SHA256=ACD10A20B88C3DA126643C9CAD5FDEB1855B613B57BFCCB3F6ACF7FE1FDD1321falsefalse - insufficient disk space 23542300x80000000000000001550966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:39.733{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2B3CC84C231735A01B37195DBF7A9B,SHA256=15936A974AE89A809D475E17E3866A507768F4F743E70EA41A4F68DDA09B46CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:39.291{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:39.291{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:40.782{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:40.782{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1038BC45FA7BEF05C4C50F2504011CAD,SHA256=34B6A8F659EB7CEE906942548C0F5F5F30AE82865DFB049041CB870E65A08AC0falsefalse - insufficient disk space 10341000x80000000000000001550970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:40.751{761B69BB-818A-607D-0B00-00000000BA01}632760C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001550969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:40.738{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC83CDCD9FEE7B9FDCC2EB9A20BAA33,SHA256=052348F1472583842D73A95B912202C3C8B96CB4990ADE6C65D651F4E1101505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001550968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:40.291{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:40.291{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002498045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:41.784{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002498044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:41.784{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C655F859FDE5CB147D7C34A5654AD8C,SHA256=69367E6BCC51BDB75533A8E0A50CF9DCB02BA02C21E938057488052546766BEEfalsefalse - insufficient disk space 23542300x80000000000000001550975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:41.747{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA80130237BC1477209A1D77E177A7,SHA256=783304C90AE8A1CAD3ABAAE1667393081F6C3C71FB55D6CAD7CAA0C65D2A5D49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:41.283{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002498042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:41.283{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F27F664A520DFF85D2B4C3C6D8FD19F,SHA256=F680C039ECFE9B941A5B2143D641F5D44647A6E7C1A2B09749FF68F2E5AE43FAfalsefalse - insufficient disk space 10341000x80000000000000001550974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:41.292{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:41.292{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:41.142{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33EFDE77EAF9D5DDA86A0EF2241EAFA2,SHA256=96BEF73773F08EFCE79DA6AB15B6243D89093CAB511E1DCA32D57E5A6570DAE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:41.141{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=476956E6098A62BB531544B3348BC997,SHA256=1769C7ACF9CA85311584607973944A9646003BAF4C2727FBC78C2D4698307A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:42.755{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7335A593C46D3306F5A698EF49D388FE,SHA256=CBA9C9A6D0132F10A188E326AE13C4B0046C3767B4B37FC77865652CDD6B5E52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002498048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:42.885{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002498047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:42.885{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000002498046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 17:58:39.599{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50224-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001550984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.285{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19399-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001550983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.285{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19399-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001550982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.188{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local19398-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001550981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.188{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19398-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001550980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.181{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19397-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001550979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:36.181{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local19397-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001550978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:35.560{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local19396-false10.0.1.12-8000- 10341000x80000000000000001550977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:42.292{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:42.292{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.524{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.524{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.524{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.523{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.522{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.293{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 17:58:43.293{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781