13241300x800000000000000057207052Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2024-03-20 15:59:03.638{6B7A8EA0-07C7-65FB-004B-030000000F03}4172C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEHKCR\CLSID\{00000000-1234-1234-1234-000000000000}\InprocServer32\(Default)C:\Users\bob\MICROS~1\FORMS\PINVOKE~1.HEL\hello.dllAR-WIN-2\Administrator 12241200x800000000000000057207051Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-CreateKey2024-03-20 15:59:03.638{6B7A8EA0-07C7-65FB-004B-030000000F03}4172C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEHKCR\CLSID\{00000000-1234-1234-1234-000000000000}\InprocServer32AR-WIN-2\Administrator 154100x800000000000000057207036Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-03-20 15:59:03.642{6B7A8EA0-07C7-65FB-004B-030000000F03}4172C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationoutlook.exereg add HKCR\CLSID\{00000000-1234-1234-1234-000000000000}\InprocServer32 /ve /t REG_SZ /d "C:\Users\bob\MICROS~1\FORMS\PINVOKE~1.HEL\hello.dll" /fC:\Users\Administrator\AR-WIN-2\Administrator{6B7A8EA0-03BF-65D6-E7CF-060000000000}0x6cfe72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{6B7A8EA0-07C5-65FB-FE4A-030000000F03}2228C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" AR-WIN-2\Administrator 154100x800000000000000057205769Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-03-20 15:58:18.654{6B7A8EA0-079A-65FB-F94A-030000000F03}2288C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationoutlook.exe"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" add HKCR\CLSID\ -encodedCommand MAAwADAAMAAwADAAMAAwAC0AMQAyADMANAAtADEAMgAzADQALQAxADIAMwA0AC0AMAAwADAAMAAwADAAMAAwADAAMAAwADAA \InprocServer32 /ve /t REG_SZ /d C:\Users\bob\MICROS~1\FORMS\PINVOKE~1.HEL\hello.dll /f -inputFormat xml -outputFormat textC:\Users\Administrator\AR-WIN-2\Administrator{6B7A8EA0-03BF-65D6-E7CF-060000000000}0x6cfe72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{6B7A8EA0-71FC-65D6-C70A-000000000F03}988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 154100x800000000000000057205704Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-03-20 15:58:08.951{6B7A8EA0-0790-65FB-F84A-030000000F03}1896C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationoutlook.exe"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" add HKCR\CLSID\ -encodedCommand MAAwADAAMAAwADAAMAAwAC0AMQAyADMANAAtADEAMgAzADQALQAxADIAMwA0AC0AMAAwADAAMAAwADAAMAAwADAAMAAwADAA \InprocServer32 /ve /t REG_SZ /d C:\Users\bob\MICROS~1\FORMS\PINVOKE~1.HEL\hello.dll /f -inputFormat xml -outputFormat textC:\Users\Administrator\AR-WIN-2\Administrator{6B7A8EA0-03BF-65D6-E7CF-060000000000}0x6cfe72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{6B7A8EA0-71FC-65D6-C70A-000000000F03}988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 154100x800000000000000057205201Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-03-20 15:57:59.905{6B7A8EA0-0787-65FB-F24A-030000000F03}636C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationoutlook.exe"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" add HKCR\CLSID\ -encodedCommand MAAwADAAMAAwADAAMAAwAC0AMQAyADMANAAtADEAMgAzADQALQAxADIAMwA0AC0AMAAwADAAMAAwADAAMAAwADAAMAAwADAA \InprocServer32 /ve /t REG_SZ /d C:\Users\...\MICROS~1\FORMS\PINVOKE~1.HEL\hello.dll /f -inputFormat xml -outputFormat textC:\Users\Administrator\AR-WIN-2\Administrator{6B7A8EA0-03BF-65D6-E7CF-060000000000}0x6cfe72HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{6B7A8EA0-71FC-65D6-C70A-000000000F03}988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator