diff --git a/.gitignore b/.gitignore index cdb42e79..056d31f1 100644 --- a/.gitignore +++ b/.gitignore @@ -103,3 +103,6 @@ venv.bak/ .mypy_cache/ package/bin/sftp-config.json package/default/sftp-config.json + +# total_replay output +total_replay/output/ diff --git a/total_replay/CLAUDE.md b/total_replay/CLAUDE.md new file mode 100644 index 00000000..43eb6182 --- /dev/null +++ b/total_replay/CLAUDE.md @@ -0,0 +1,86 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +TOTAL-REPLAY is a Python CLI tool by Splunk Threat Research Team for replaying attack data and test logs from Splunk Security Content and Splunk Attack Data projects. It automates detection testing by replaying relevant attack data based on detection metadata (names, GUIDs, MITRE ATT&CK IDs, analytic stories). + +## Development Setup + +```bash +poetry shell +poetry install +``` + +**Requirements:** Python 3.13+ + +**Environment Variables (required):** +- `SPLUNK_HOST` - Splunk server IP/hostname +- `SPLUNK_HEC_TOKEN` - HTTP Event Collector authentication token + +## Running the Tool + +```bash +# By detection name (also searches .yml filenames) +python3 total_replay.py -n '7zip CommandLine To SMB Share Path, CMLUA Or CMSTPLUA UAC Bypass' + +# By MITRE ATT&CK technique ID +python3 total_replay.py -tid 'T1021, T1020, T1537' + +# By detection GUID +python3 total_replay.py -g '01d29b48-ff6f-11eb-b81e-acde48001123' + +# By analytic story +python3 total_replay.py -as 'AgentTesla, Remcos' + +# From file with mixed metadata (greedy mode) +python3 total_replay.py -fgr './test/test_names.txt' + +# Replay from local cache (skip re-downloading) +python3 total_replay.py -ld './output/2025-12-12/guid/replayed_yaml_cache' + +# Specify custom index (default: "test") +python3 total_replay.py -i main -tid 'T1071' +``` + +File-based inputs also available: `-fn` (names), `-ftid` (technique IDs), `-fg` (GUIDs), `-fas` (analytic stories). + +## Architecture + +**Entry Point:** `total_replay.py` - Typer CLI that parses input, delegates to UtilityHelper + +**Core Logic:** `utility/utility_helper.py` - UtilityHelper class handles: +- `search_security_content()` - Walks security_content/detections to find matching YAML files +- `download_via_attack_data()` - Downloads attack data via `git lfs pull --include=` +- `send_data_to_splunk()` - POSTs events to Splunk HEC (port 8088, HTTPS) +- `normalized_file_args()` - Regex categorization of file inputs into metadata types + +**Data Flow:** +1. Parse CLI input and categorize by type (detection names, GUIDs, technique IDs, analytic stories) +2. Walk security_content detections folder, match YAML files by field +3. Extract `attack_data` URLs from matched detection YAML +4. Download data via Git LFS from attack_data repo +5. Generate YAML cache with metadata in `output///replayed_yaml_cache/` +6. Send events to Splunk HEC + +## Configuration + +Edit `configuration/config.yml`: +```yaml +settings: + security_content_detection_path: ~/security_content/detections + attack_data_dir_path: ~/attack_data + debug_print: False # Toggle verbose output +``` + +## Input File Format + +File inputs support mixed metadata. The tool uses regex to auto-categorize: +- YAML filenames: `^[a-z0-9_]+(?:\.yml)?$` +- GUIDs: UUID format +- Technique IDs: `T\d{4}(?:\.\d{3})?` +- Detection names/analytic stories: Remaining alphanumeric entries +- Lines starting with `#` are skipped + +See `test/test_names.txt` for examples. diff --git a/total_replay/configuration/config.yml b/total_replay/configuration/config.yml index 91041763..d474de25 100644 --- a/total_replay/configuration/config.yml +++ b/total_replay/configuration/config.yml @@ -1,7 +1,16 @@ settings: - security_content_detection_path: ~/path/to/your/security_content/detections - attack_data_dir_path: ~/path/to/your/attack_data + security_content_detection_path: ~/security_content/detections + attack_data_dir_path: ~/attack_data output_dir_name : output cache_replay_yaml_name : cache_replay_data.yml replayed_yaml_cache_dir_name: replayed_yaml_cache - debug_print: False \ No newline at end of file + debug_print: True + +# Splunk connection settings +# Environment variables (SPLUNK_HOST, SPLUNK_USERNAME, SPLUNK_PASSWORD, SPLUNK_HEC_TOKEN) +# will override these values if set +splunk: + host: attack-data + username: admin + password: seamlesslabs + hec_token: f9d2e13d-63ca-4bf2-8dcb-aa3a9d7dafff diff --git a/total_replay/detection_results.jsonl b/total_replay/detection_results.jsonl new file mode 100644 index 00000000..a8c90cda --- /dev/null +++ b/total_replay/detection_results.jsonl @@ -0,0 +1,76 @@ +{"file_name": "rundll32_shimcache_flush.yml", "description": "The following analytic detects the execution of a suspicious rundll32 command line used to clear the shim cache. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because clearing the shim cache is an anti-forensic technique aimed at evading detection and removing forensic artifacts. If confirmed malicious, this action could hinder incident response efforts, allowing an attacker to cover their tracks and maintain persistence on the compromised machine.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process = \"*apphelp.dll,ShimFlushCache*\" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_shimcache_flush_filter`", "results": [{"action": "allowed", "dest": "win-dc-676.attackrange.local", "original_file_name": "RUNDLL32.EXE", "parent_process": "\"C:\\Windows\\system32\\cmd.exe\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{6EDEAD03-011D-615C-0205-00000000FB01}", "parent_process_id": "5428", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "Rundll32.exe apphelp.dll,ShimFlushCache", "process_exec": "rundll32.exe", "process_guid": "{6EDEAD03-0CA2-615C-6E06-00000000FB01}", "process_hash": "MD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C", "process_id": "5484", "process_integrity_level": "high", "process_name": "rundll32.exe", "process_path": "C:\\Windows\\System32\\rundll32.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-10-05T08:28:18", "lastTime": "2025-12-10T02:12:00"}], "error": null} +{"file_name": "fodhelper_uac_bypass.yml", "description": "The following analytic detects the execution of fodhelper.exe, which is known to exploit a User Account Control (UAC) bypass by leveraging specific registry keys. The detection method uses Endpoint Detection and Response (EDR) telemetry to identify when fodhelper.exe spawns a child process and accesses the registry keys. This activity is significant because it indicates a potential privilege escalation attempt by an attacker. If confirmed malicious, the attacker could execute commands with elevated privileges, leading to unauthorized system changes and potential full system compromise.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `fodhelper_uac_bypass_filter`", "results": [{"action": "allowed", "dest": "AttackBox-Win10", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\system32\\fodhelper.exe\"", "parent_process_exec": "fodhelper.exe", "parent_process_guid": "{51A89197-C782-6552-C802-000000001E00}", "parent_process_id": "4400", "parent_process_name": "fodhelper.exe", "parent_process_path": "C:\\Windows\\System32\\fodhelper.exe", "process": "\"C:\\Windows\\System32\\cmd.exe\"", "process_exec": "cmd.exe", "process_guid": "{51A89197-C782-6552-C902-000000001E00}", "process_hash": "SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE", "process_id": "2972", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "VICTIM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T05:06:24", "lastTime": "2025-12-10T06:33:40"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\fodhelper.exe\"", "parent_process_exec": "fodhelper.exe", "parent_process_guid": "{31314CAD-F2B5-5FB4-0000-0010516E0900}", "parent_process_id": "4736", "parent_process_name": "fodhelper.exe", "parent_process_path": "C:\\Windows\\System32\\fodhelper.exe", "process": "\"C:\\Windows\\System32\\cmd.exe\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B5-5FB4-0000-001022740900}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4996", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:53", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "fodhelper.exe", "parent_process_exec": "fodhelper.exe", "parent_process_guid": "{31314CAD-F2B4-5FB4-0000-001075480900}", "parent_process_id": "4112", "parent_process_name": "fodhelper.exe", "parent_process_path": "C:\\Windows\\System32\\fodhelper.exe", "process": "\"C:\\Windows\\System32\\cmd.exe\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B5-5FB4-0000-00107B520900}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2012", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:53", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "fodhelper.exe", "parent_process_guid": "{31314CAD-F2B4-5FB4-0000-001075480900}", "parent_process_id": "4112", "parent_process_name": "fodhelper.exe", "parent_process_path": "C:\\Windows\\system32\\fodhelper.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B5-5FB4-0000-00107B520900}", "process_hash": "null", "process_id": "2012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:53", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "fodhelper.exe", "parent_process_guid": "{31314CAD-F2B5-5FB4-0000-0010516E0900}", "parent_process_id": "4736", "parent_process_name": "fodhelper.exe", "parent_process_path": "C:\\Windows\\System32\\fodhelper.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F28E-5FB4-0000-001089AC0600}", "process_hash": "null", "process_id": "4996", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:53", "lastTime": "2025-12-10T06:33:10"}], "error": null} +{"file_name": "windows_modify_registry_disableremotedesktopantialias.yml", "description": "The following analytic detects modifications to the Windows registry key \"DisableRemoteDesktopAntiAlias\" with a value set to 0x00000001. This detection leverages data from the Endpoint datamodel, specifically monitoring changes in the Registry node. This activity is significant as it may indicate the presence of DarkGate malware, which alters this registry setting to enhance its remote desktop capabilities. If confirmed malicious, this modification could allow an attacker to maintain persistence and control over the compromised host, potentially leading to further exploitation and data exfiltration.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableRemoteDesktopAntiAlias\" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disableremotedesktopantialias_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-106C-655F-E301-000000002903}", "process_id": "4448", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableRemoteDesktopAntiAlias", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableRemoteDesktopAntiAlias", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-11-23T08:42:20", "lastTime": "2023-11-23T08:42:20"}], "error": null} +{"file_name": "windows_modify_registry_maxconnectionperserver.yml", "description": "The following analytic identifies a suspicious modification of the Windows registry setting for max connections per server. It detects changes to specific registry paths using data from the Endpoint.Registry datamodel. This activity is significant because altering this setting can be exploited by attackers to increase the number of concurrent connections to a remote server, potentially facilitating DDoS attacks or enabling more effective lateral movement within a compromised network. If confirmed malicious, this could lead to network disruption or further compromise of additional systems.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-E0E1-64BF-D608-00000000F902}", "process_id": "6808", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server", "registry_key_name": "Internet Settings", "registry_value_data": "0x0000000a", "registry_value_name": "MaxConnectionsPer1_0Server", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:49:07", "lastTime": "2023-07-25T14:49:07"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-E0E1-64BF-D608-00000000F902}", "process_id": "6808", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer", "registry_key_name": "Internet Settings", "registry_value_data": "0x0000000a", "registry_value_name": "MaxConnectionsPerServer", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:49:07", "lastTime": "2023-07-25T14:49:07"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-E0E3-64BF-D808-00000000F902}", "process_id": "6928", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server", "registry_key_name": "Internet Settings", "registry_value_data": "0x0000000a", "registry_value_name": "MaxConnectionsPer1_0Server", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:49:09", "lastTime": "2023-07-25T14:49:09"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-E0E3-64BF-D808-00000000F902}", "process_id": "6928", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer", "registry_key_name": "Internet Settings", "registry_value_data": "0x0000000a", "registry_value_name": "MaxConnectionsPerServer", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:49:09", "lastTime": "2023-07-25T14:49:09"}], "error": null} +{"file_name": "windows_disable_shutdown_button_through_registry.yml", "description": "The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with shutdown policies. This activity is significant because it is a tactic used by malware, particularly ransomware like KillDisk, to hinder system usability and prevent the removal of malicious changes. If confirmed malicious, this could impede system recovery efforts, making it difficult to restart the machine and remove other harmful modifications.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9D08-000000003602}", "process_id": "5116", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoClose", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:17", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-A008-000000003602}", "process_id": "4316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon", "registry_key_name": "System", "registry_value_data": "0x00000000", "registry_value_name": "shutdownwithoutlogon", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:17", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "windows_modify_registry_do_not_connect_to_win_update.yml", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic updates. It leverages data from the Endpoint datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" with a value of \"0x00000001\". This activity is significant as it can be used by adversaries, including malware like RedLine Stealer, to evade detection and prevent the system from receiving critical updates. If confirmed malicious, this could allow attackers to exploit vulnerabilities, persist in the environment, and potentially deploy additional payloads.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\DoNotConnectToWindowsUpdateInternetLocations\" AND Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_do_not_connect_to_win_update_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5D-6442-4403-00000000DD02}", "process_id": "6216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations", "registry_key_name": "WindowsUpdate", "registry_value_data": "0x00000001", "registry_value_name": "DoNotConnectToWindowsUpdateInternetLocations", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C03-6442-7003-00000000DD02}", "process_id": "3668", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations", "registry_key_name": "WindowsUpdate", "registry_value_data": "0x00000001", "registry_value_name": "DoNotConnectToWindowsUpdateInternetLocations", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:25", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8A03-00000000DD02}", "process_id": "6436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DoNotConnectToWindowsUpdateInternetLocations", "registry_key_name": "WindowsUpdate", "registry_value_data": "0x00000001", "registry_value_name": "DoNotConnectToWindowsUpdateInternetLocations", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_longpathsenabled.yml", "description": "The following analytic detects a modification to the Windows registry setting \"LongPathsEnabled,\" which allows file paths longer than 260 characters. This detection leverages data from the Endpoint.Registry datamodel, focusing on changes to the specific registry path and value. This activity is significant because adversaries, including malware like BlackByte, exploit this setting to bypass file path limitations, potentially aiding in evasion techniques. If confirmed malicious, this modification could facilitate the execution of long-path payloads, aiding in persistence and further system compromise.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_longpathsenabled_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{08CB57FB-CDE3-64AB-1702-00000000FA02}", "process_id": "3160", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled", "registry_key_name": "FileSystem", "registry_value_data": "0x00000001", "registry_value_name": "LongPathsEnabled", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T09:22:43", "lastTime": "2023-07-10T09:22:43"}], "error": null} +{"file_name": "windows_disable_logoff_button_through_registry.yml", "description": "The following analytic detects a suspicious registry modification that disables the logoff feature on a Windows host. It leverages data from the Endpoint.Registry data model to identify changes to specific registry values associated with logoff functionality. This activity is significant because it can indicate ransomware attempting to make the compromised host unusable and hinder remediation efforts. If confirmed malicious, this action could prevent users from logging off, complicate incident response, and allow attackers to maintain persistence and control over the affected system.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9E08-000000003602}", "process_id": "5224", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoLogOff", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:17", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C408-000000003602}", "process_id": "6872", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "StartMenuLogOff", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:28:28", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "disable_registry_tool.yml", "description": "The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" with a value of \"0x00000001\". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "results": [{"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6672-6064-7201-00000000AE01}", "process_id": "724", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "DisableRegistryTools", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-667C-6064-7301-00000000AE01}", "process_id": "2852", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\\DisableRegistryTools", "registry_key_name": "system", "registry_value_data": "0x00000001", "registry_value_name": "DisableRegistryTools", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}], "error": null} +{"file_name": "windows_modify_registry_dontshowui.yml", "description": "The following analytic detects modifications to the Windows Error Reporting registry key \"DontShowUI\" to suppress error reporting dialogs. It leverages data from the Endpoint datamodel's Registry node to identify changes where the registry value is set to 0x00000001. This activity is significant as it is commonly associated with DarkGate malware, which uses this modification to avoid detection during its installation. If confirmed malicious, this behavior could allow attackers to maintain a low profile, avoiding user alerts and potentially enabling further malicious activities without user intervention.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\DontShowUI\" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_dontshowui_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1075-655F-EB01-000000002903}", "process_id": "4284", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\DontShowUI", "registry_key_name": "Windows Error Reporting", "registry_value_data": "0x00000001", "registry_value_name": "DontShowUI", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-11-23T08:42:29", "lastTime": "2023-11-23T08:42:29"}], "error": null} +{"file_name": "windows_modify_registry_regedit_silent_reg_import.yml", "description": "The following analytic detects the modification of the Windows registry using the regedit.exe application with the silent mode parameter. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because the silent mode allows registry changes without user confirmation, which can be exploited by adversaries to import malicious registry settings. If confirmed malicious, this could enable attackers to persist in the environment, escalate privileges, or manipulate system configurations, leading to potential system compromise.", "spl_query": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\") AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter`", "results": [{"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-bcdedit.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-6FFF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "5108", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-diskshadow.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-71FF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "5832", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-net.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-72FF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "6552", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-powershell.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-70FF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "2772", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-taskkill.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-73FF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "3064", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-uninstall.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1133-61B1-63FF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "364", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-vssadmin.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-6CFF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "2732", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-wbadmin.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-6EFF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "3520", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-137.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Downloads\\Raccine\\Raccine\\install-raccine.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{9DBE88B5-1126-61B1-57FF-000000000E02}", "parent_process_id": "3172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "REGEDIT.EXE /S reg-patches\\raccine-reg-patch-wmic.reg", "process_exec": "regedit.exe", "process_guid": "{9DBE88B5-1134-61B1-6DFF-000000000E02}", "process_hash": "MD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448", "process_id": "4988", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2025-12-10T07:29:29", "lastTime": "2025-12-10T07:29:29"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Programdata\\Windows\\install.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{B58D6529-E8EC-62A1-9D01-000000006102}", "parent_process_id": "2096", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process": "regedit /s \"reg1.reg\"", "process_exec": "regedit.exe", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_hash": "MD5=2E327F27B5B836D8304DF46E8E20341A,SHA256=1EDA28D11BB4EC6DE741B7A9323B1358D93F796791799F787AC5626116B4ACBC,IMPHASH=9593621560C3E73E6E96ECEB399444FE", "process_id": "4580", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\SysWOW64\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "REGEDIT.EXE", "parent_process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Programdata\\Windows\\install.bat\" \"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{B58D6529-E8EC-62A1-9D01-000000006102}", "parent_process_id": "2096", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "process": "regedit /s \"reg2.reg\"", "process_exec": "regedit.exe", "process_guid": "{B58D6529-E8EC-62A1-A001-000000006102}", "process_hash": "MD5=2E327F27B5B836D8304DF46E8E20341A,SHA256=1EDA28D11BB4EC6DE741B7A9323B1358D93F796791799F787AC5626116B4ACBC,IMPHASH=9593621560C3E73E6E96ECEB399444FE", "process_id": "100", "process_integrity_level": "high", "process_name": "regedit.exe", "process_path": "C:\\Windows\\SysWOW64\\regedit.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_disable_windows_group_policy_features_through_registry.yml", "description": "The following analytic detects suspicious registry modifications aimed at disabling Windows Group Policy features. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values associated with disabling key Windows functionalities. This activity is significant because it is commonly used by ransomware to hinder mitigation and forensic response efforts. If confirmed malicious, this behavior could severely impair the ability of security teams to analyze and respond to the attack, allowing the attacker to maintain control and persist within the compromised environment.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{03D06954-22D8-65BC-EC03-000000004703}", "process_id": "4752", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3344543075-1022232225-2459664213-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "6"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3E01-00000000AE01}", "process_id": "2688", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3F01-00000000AE01}", "process_id": "4156", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9908-000000003602}", "process_id": "6692", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoDesktop", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9B08-000000003602}", "process_id": "4188", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoFind", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9C08-000000003602}", "process_id": "5180", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9F08-000000003602}", "process_id": "6376", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoFileMenu", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C108-000000003602}", "process_id": "7008", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoSetTaskbar", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C308-000000003602}", "process_id": "6124", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoTrayContextMenu", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C508-000000003602}", "process_id": "3484", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TaskbarLockAll", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "TaskbarLockAll", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C608-000000003602}", "process_id": "2656", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoThemesTab", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoThemesTab", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FCC-6227-C708-000000003602}", "process_id": "6780", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoPropertiesMyDocuments", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FEA-6227-CF08-000000003602}", "process_id": "1632", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoVisualStyleChoice", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "NoVisualStyleChoice", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FEA-6227-D308-000000003602}", "process_id": "2812", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoColorChoice", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "NoColorChoice", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15"}], "error": null} +{"file_name": "windows_modify_registry_wuserver.yml", "description": "The following analytic detects suspicious modifications to the Windows Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry data model to identify changes in the registry path associated with Windows Update configurations. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this registry modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUServer\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wuserver_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5D-6442-4603-00000000DD02}", "process_id": "7072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C06-6442-7203-00000000DD02}", "process_id": "6544", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:28", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8C03-00000000DD02}", "process_id": "224", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_outlook_loadmacroprovideronboot_persistence.yml", "description": "The following analytic detects the modification of the Windows Registry key \"LoadMacroProviderOnBoot\" under Outlook. This enables automatic loading of macros, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key being enabled. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"*\\\\Outlook\\\\*\" Registry.registry_value_name=\"LoadMacroProviderOnBoot\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_outlook_loadmacroprovideronboot_persistence_filter`", "results": [{"action": "modified", "dest": "WIN10-21H1.snapattack.labs", "process_guid": "F51F9151-CCF0-66AB-510B-000000000C00", "process_id": "9184", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\LoadMacroProviderOnBoot", "registry_key_name": "Outlook", "registry_value_data": "0x00000001", "registry_value_name": "LoadMacroProviderOnBoot", "registry_value_type": "REG_DWORD", "status": "success", "user": "localuser", "vendor_product": "Microsoft Sysmon", "count": "3"}], "error": null} +{"file_name": "windows_modify_registry_with_md5_reg_key_name.yml", "description": "The following analytic detects potentially malicious registry modifications characterized by MD5-like registry key names. It leverages the Endpoint data model to identify registry entries under the SOFTWARE path with 32-character hexadecimal names, a technique often used by NjRAT malware for fileless storage of keylogs and .DLL plugins. This activity is significant as it can indicate the presence of NjRAT or similar malware, which can lead to unauthorized data access and persistent threats within the environment. If confirmed malicious, attackers could maintain persistence and exfiltrate sensitive information.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\SOFTWARE\\\\*\" Registry.registry_value_data = \"Binary Data\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | eval dropped_reg_path = split(registry_path, \"\\\\\") | eval dropped_reg_path_split_count = mvcount(dropped_reg_path) | eval validation_result= if(match(registry_value_name,\"^[0-9a-fA-F]{32}$\"),\"md5\",\"nonmd5\") | where validation_result = \"md5\" AND dropped_reg_path_split_count <= 5 | table dest user registry_path registry_value_name registry_value_data registry_key_name reg_key_name dropped_reg_path_split_count validation_result | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_with_md5_reg_key_name_filter`", "results": [{"dest": "ar-win-dc.attackrange.local", "user": "Administrator", "registry_path": "HKU\\S-1-5-21-924054271-2621075704-621839002-500\\SOFTWARE\\c4d89260ab33f649750816ed8ac2eedd\\2681e81bb4c4b3e6338ce2a456fb93a7", "registry_value_name": "2681e81bb4c4b3e6338ce2a456fb93a7", "registry_value_data": "Binary Data", "registry_key_name": "c4d89260ab33f649750816ed8ac2eedd", "dropped_reg_path_split_count": "5", "validation_result": "md5"}], "error": null} +{"file_name": "windows_disable_change_password_through_registry.yml", "description": "The following analytic detects a suspicious registry modification that disables the Change Password feature on a Windows host. It identifies changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" with a value of \"0x00000001\". This activity is significant as it can prevent users from changing their passwords, a tactic often used by ransomware to maintain control over compromised systems. If confirmed malicious, this could hinder user response to an attack, allowing the attacker to persist and potentially escalate their access within the network.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FEA-6227-D008-000000003602}", "process_id": "4588", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "DisableChangePassword", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:28:58", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "windows_modify_registry_usewuserver.yml", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key \"UseWUServer.\" It leverages data from the Endpoint.Registry data model to identify changes where the registry value is set to \"0x00000001.\" This activity is significant because it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection mechanisms and potentially exploit zero-day vulnerabilities. If confirmed malicious, this modification could allow attackers to evade defenses, persist on the target host, and deploy additional malicious payloads.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\UseWUServer\" AND Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_usewuserver_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5D-6442-4303-00000000DD02}", "process_id": "5552", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "UseWUServer", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C01-6442-6F03-00000000DD02}", "process_id": "5500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "UseWUServer", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:23", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8903-00000000DD02}", "process_id": "6328", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\UseWUServer", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "UseWUServer", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_defender_asr_registry_modification.yml", "description": "The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.", "spl_query": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)`| rename host as dest | `security_content_ctime(lastTime)` | `windows_defender_asr_registry_modification_filter`", "results": [], "error": null} +{"file_name": "windows_deleted_registry_by_a_non_critical_process_file_path.yml", "description": "The following analytic detects the deletion of registry keys by non-critical processes. It leverages Endpoint Detection and Response (EDR) data, focusing on registry deletion events and correlating them with processes not typically associated with system or program files. This activity is significant as it may indicate malware, such as the Double Zero wiper, attempting to evade defenses or cause destructive payload impacts. If confirmed malicious, this behavior could lead to significant system damage, loss of critical configurations, and potential disruption of services.", "spl_query": "| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry WHERE Registry.action=deleted BY _time span=1h Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_path IN (\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`", "results": [{"_time": "2021-06-02T08:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2021-06-02T08:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2021-06-02T08:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2021-06-02T08:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2022-03-08T10:00:00.000+00:00", "parent_process_name": "csrss.exe", "parent_process": "unknown", "process_name": "_vea.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\_vea.exe", "process": "unknown", "process_guid": "{00000000-0000-0000-0000-000000000000}", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "HideClock", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "unknown"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Run", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Shell Extensions", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Cached", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar\\ShellBrowser", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ShellBrowser", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e96a-e325-11ce-bfc1-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{6bdd1fc6-810f-11d0-bec7-08002be2092f}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-03-24T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{6d807884-7d21-11cf-801c-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\hivelist\\\\REGISTRY\\MACHINE\\DRIVERS", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DRIVERS", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\3", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "3", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Session0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Owner", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Owner", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFiles0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFiles0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFilesHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFilesHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Sequence", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Sequence", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2022-06-09T12:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\SessionHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "SessionHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{FCCA13C7-30EA-63C5-0100-00000000AF02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\tunnel\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "unknown"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{FCCA13C7-30EA-63C5-0100-00000000AF02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\tunnel\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "unknown"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Session0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Owner", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Owner", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFiles0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFiles0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFilesHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFilesHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Sequence", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Sequence", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2023-01-16T11:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "\"C:\\Windows\\Explorer.EXE\" /NOUACCHECK", "process_name": "ConfirmEmail.exe", "process_path": "C:\\Temp\\ConfirmEmail.exe", "process": "\"C:\\Temp\\ConfirmEmail.exe\"", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\SessionHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "SessionHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5F1D3C56-34D8-60B7-0100-00000000C601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-410.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "procexp64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\procexp64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\procexp64.exe\"", "process_guid": "{2E2BE06D-7E21-60FE-2E7F-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "PROCEXP152", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C8EA50B7-11CB-6216-2005-000000003802}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ErrorControl", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ErrorControl", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C8EA50B7-11CB-6216-2005-000000003802}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ImagePath", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ImagePath", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C8EA50B7-11CB-6216-2005-000000003802}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Start", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Start", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T21:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C8EA50B7-11CB-6216-2005-000000003802}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Type", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Type", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4C77B871-975F-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-london-host", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4C77B871-975F-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-london-host", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4C77B871-975F-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "project-london-host", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4C77B871-975F-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-london-host", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{8D4DD44E-BF1C-616F-0100-000000000502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-185.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{8D4DD44E-BF1C-616F-0100-000000000502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-185.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{8D4DD44E-BF1C-616F-0100-000000000502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-185.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{8D4DD44E-BF1C-616F-0100-000000000502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-185.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{3CFDEE80-2F48-605B-E70A-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ErrorControl", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ErrorControl", "action": "allowed", "dest": "win-dc-299.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{3CFDEE80-2F48-605B-E70A-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ImagePath", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ImagePath", "action": "allowed", "dest": "win-dc-299.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{3CFDEE80-2F48-605B-E70A-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Start", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Start", "action": "allowed", "dest": "win-dc-299.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{3CFDEE80-2F48-605B-E70A-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Type", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Type", "action": "allowed", "dest": "win-dc-299.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "procexp64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\procexp64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\procexp64.exe\"", "process_guid": "{3CFDEE80-2F58-605B-E90A-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "PROCEXP152", "action": "allowed", "dest": "win-dc-299.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{928AB1BB-E4B2-60C1-0100-00000000C401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-365.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{2E2BE06D-6DD3-60FA-0100-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{2E2BE06D-6DD3-60FA-0100-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{2E2BE06D-6DD3-60FA-0100-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{2E2BE06D-6DD3-60FA-0100-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "procexp64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\procexp64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\procexp64.exe\"", "process_guid": "{2E2BE06D-7E21-60FE-2E7F-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "PROCEXP152", "action": "allowed", "dest": "win-dc-56.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe\"", "process_guid": "{26337912-B4C5-6050-3603-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ErrorControl", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ErrorControl", "action": "allowed", "dest": "win-dc-654.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe\"", "process_guid": "{26337912-B4C5-6050-3603-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ImagePath", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ImagePath", "action": "allowed", "dest": "win-dc-654.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe\"", "process_guid": "{26337912-B4C5-6050-3603-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Start", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Start", "action": "allowed", "dest": "win-dc-654.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\ProcessMonitor\\Procmon64.exe\"", "process_guid": "{26337912-B4C5-6050-3603-00000000AE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Type", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Type", "action": "allowed", "dest": "win-dc-654.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent-util.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3381F800-7E07-635A-0100-000000008A02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\hivelist\\\\REGISTRY\\MACHINE\\DRIVERS", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DRIVERS", "action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent-util.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3381F800-7E07-635A-0100-000000008A02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\SCSI\\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\\2&1f4adffe&0&000001\\Device Parameters\\Storport", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Storport", "action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent-util.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3381F800-7E07-635A-0100-000000008A02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent-util.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{A78D3DEB-1A73-634D-0100-000000008502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\hivelist\\\\REGISTRY\\MACHINE\\DRIVERS", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DRIVERS", "action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent-util.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{A78D3DEB-1A73-634D-0100-000000008502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\hivelist\\\\REGISTRY\\MACHINE\\DRIVERS", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DRIVERS", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\3", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "3", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Session0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Owner", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Owner", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFiles0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFiles0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFilesHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFilesHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Sequence", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Sequence", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\SessionHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "SessionHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "c.exe", "process_path": "C:\\Temp\\c.exe", "process": "\"C:\\Temp\\c.exe\"", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\fndr", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "fndr", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{61981517-E6CC-60C1-0100-00000000C501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-977.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "aurora-agent.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5C0BDE06-1A74-634D-0100-000000008502}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-ctus-attack-range-17", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{7C68B4B2-7DF4-635A-0100-000000008B02}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-ctus-attack-range-276", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "Explorer.EXE", "parent_process": "unknown", "process_name": "Wireshark.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\WiresharkPortable64\\App\\Wireshark\\Wireshark.exe", "process": "unknown", "process_guid": "{F6DB49F2-ECEB-6305-4A04-000000007602}", "registry_path": "HKU\\S-1-5-21-615810692-2190200166-3691174995-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-host-ctus-attack-range-538", "user": "unknown"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Run", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Shell Extensions", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Cached", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar\\ShellBrowser", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ShellBrowser", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e96a-e325-11ce-bfc1-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{6bdd1fc6-810f-11d0-bec7-08002be2092f}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T22:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE", "process_name": "doublezero_s.exe", "process_path": "C:\\Temp\\doublezero_s.exe", "process": "\"C:\\Temp\\doublezero_s.exe\"", "process_guid": "{9531C931-51B4-623C-9B05-000000004302}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{6d807884-7d21-11cf-801c-08002be10318}\\Configuration\\Variables\\FriendlyName", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "FriendlyName", "action": "allowed", "dest": "win-host-tcontreras-attack-range-971", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{ED2ECF8A-9553-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-mumbai-host", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{ED2ECF8A-9553-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-mumbai-host", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{ED2ECF8A-9553-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "project-mumbai-host", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "GRR.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{ED2ECF8A-9553-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "project-mumbai-host", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "OneDriveSetup.exe", "parent_process": "\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\" /update /restart /updateSource:ODU", "process_name": "OneDriveSetup.exe", "process_path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "process": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix /RegisterOneDriveLauncherAutoStartTask /EnableOneDriveLauncherRampDownloads /EnableDeltaBuildToTelemetryFeatureSet /ReLaunchOD4AppHarness /ArgPerformNucleusLocalAccessRepair /PerformEdgeNucleusRepair /PerformChromeNucleusRepair", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\*\\shellex\\ContextMenuHandlers\\ FileSyncEx", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": " FileSyncEx", "action": "allowed", "dest": "soc101win11", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "OneDriveSetup.exe", "parent_process": "\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\" /update /restart /updateSource:ODU", "process_name": "OneDriveSetup.exe", "process_path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "process": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix /RegisterOneDriveLauncherAutoStartTask /EnableOneDriveLauncherRampDownloads /EnableDeltaBuildToTelemetryFeatureSet /ReLaunchOD4AppHarness /ArgPerformNucleusLocalAccessRepair /PerformEdgeNucleusRepair /PerformChromeNucleusRepair", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\Directory\\Background\\shellex\\ContextMenuHandlers\\ FileSyncEx", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": " FileSyncEx", "action": "allowed", "dest": "soc101win11", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "OneDriveSetup.exe", "parent_process": "\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\" /update /restart /updateSource:ODU", "process_name": "OneDriveSetup.exe", "process_path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "process": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix /RegisterOneDriveLauncherAutoStartTask /EnableOneDriveLauncherRampDownloads /EnableDeltaBuildToTelemetryFeatureSet /ReLaunchOD4AppHarness /ArgPerformNucleusLocalAccessRepair /PerformEdgeNucleusRepair /PerformChromeNucleusRepair", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\Directory\\shellex\\ContextMenuHandlers\\ FileSyncEx", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": " FileSyncEx", "action": "allowed", "dest": "soc101win11", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "OneDriveSetup.exe", "parent_process": "\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\" /update /restart /updateSource:ODU", "process_name": "OneDriveSetup.exe", "process_path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "process": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix /RegisterOneDriveLauncherAutoStartTask /EnableOneDriveLauncherRampDownloads /EnableDeltaBuildToTelemetryFeatureSet /ReLaunchOD4AppHarness /ArgPerformNucleusLocalAccessRepair /PerformEdgeNucleusRepair /PerformChromeNucleusRepair", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\IE.AssocFile.URL\\shellex\\ContextMenuHandlers\\ FileSyncEx", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": " FileSyncEx", "action": "allowed", "dest": "soc101win11", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "OneDriveSetup.exe", "parent_process": "\"C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\" /update /restart /updateSource:ODU", "process_name": "OneDriveSetup.exe", "process_path": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "process": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode /installWebView2 /SetPerProcessSystemDPIForceOffKey /EnableNucleusAutoStartFix /RegisterOneDriveLauncherAutoStartTask /EnableOneDriveLauncherRampDownloads /EnableDeltaBuildToTelemetryFeatureSet /ReLaunchOD4AppHarness /ArgPerformNucleusLocalAccessRepair /PerformEdgeNucleusRepair /PerformChromeNucleusRepair", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\lnkfile\\shellex\\ContextMenuHandlers\\ FileSyncEx", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": " FileSyncEx", "action": "allowed", "dest": "soc101win11", "user": "Administrator"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-09T23:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T00:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T00:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T00:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T00:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{172D79BE-E25C-6001-0100-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-919.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T01:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{6EDEAD03-5024-615D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-676.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T01:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{6EDEAD03-5024-615D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-676.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T01:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{6EDEAD03-5024-615D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-676.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T01:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{6EDEAD03-5024-615D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-676.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{7F8C56E7-4E39-6063-0100-00000000AF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-877.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{7F8C56E7-4E39-6063-0100-00000000AF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-877.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{7F8C56E7-4E39-6063-0100-00000000AF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-877.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{7F8C56E7-4E39-6063-0100-00000000AF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-877.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{761B69BB-8188-607D-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-982.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{761B69BB-8188-607D-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-982.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{761B69BB-8188-607D-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-982.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{761B69BB-8188-607D-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-982.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "csrss.exe", "parent_process": "unknown", "process_name": "_vea.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\_vea.exe", "process": "unknown", "process_guid": "{00000000-0000-0000-0000-000000000000}", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "HideClock", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B81B27B7-1E76-61BA-0100-00000000CD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-987.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B81B27B7-1E76-61BA-0100-00000000CD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-987.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B81B27B7-1E76-61BA-0100-00000000CD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-host-987.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T02:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B81B27B7-1E76-61BA-0100-00000000CD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-987.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-8CA0-6151-0100-00000000FD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-8CA0-6151-0100-00000000FD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-8CA0-6151-0100-00000000FD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-8CA0-6151-0100-00000000FD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{C7A9AC19-4652-609D-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C7A9AC19-5079-609D-6A05-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ErrorControl", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ErrorControl", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C7A9AC19-5079-609D-6A05-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ImagePath", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ImagePath", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C7A9AC19-5079-609D-6A05-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Start", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Start", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{C7A9AC19-5079-609D-6A05-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Type", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Type", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "procexp64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\procexp64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\procexp64.exe\"", "process_guid": "{C7A9AC19-508C-609D-7505-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "PROCEXP152", "action": "allowed", "dest": "win-dc-960.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{33D466E7-4851-609D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-979.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "unknown", "parent_process": "unknown", "process_name": "unknown", "process_path": "<unknown process>", "process": "unknown", "process_guid": "{33D466E7-4945-609D-E300-00000000BB01}", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\WDM\\DREDGE", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DREDGE", "action": "allowed", "dest": "win-host-979.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T03:00:00.000+00:00", "parent_process_name": "unknown", "parent_process": "unknown", "process_name": "unknown", "process_path": "<unknown process>", "process": "unknown", "process_guid": "{33D466E7-4945-609D-E300-00000000BB01}", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Updating", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Updating", "action": "allowed", "dest": "win-host-979.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{5ADF971D-2CC3-6137-1804-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ErrorControl", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ErrorControl", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{5ADF971D-2CC3-6137-1804-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\ImagePath", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ImagePath", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{5ADF971D-2CC3-6137-1804-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Start", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Start", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "Procmon64.exe", "process_path": "C:\\Users\\Administrator\\Downloads\\Procmon64.exe", "process": "\"C:\\Users\\Administrator\\Downloads\\Procmon64.exe\"", "process_guid": "{5ADF971D-2CC3-6137-1804-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\PROCMON24\\Type", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Type", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zS84E44D84\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\config.ini", "process_guid": "{E983936C-CD59-6006-7A07-00000000A301}", "registry_path": "HKU\\S-1-5-21-2777022995-896493958-3632306852-500_Classes\\*\\shell\\Firefox-308046B0AF4A39CB", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Firefox-308046B0AF4A39CB", "action": "allowed", "dest": "win-dc-397.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zS84E44D84\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsgBABF.tmp\\config.ini", "process_guid": "{E983936C-CD59-6006-7A07-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AppId_Catalog\\1F97E3EE", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1F97E3EE", "action": "allowed", "dest": "win-dc-397.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-1892-6154-0100-00000000FE01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{EAEF4273-2412-60BE-0100-00000000C401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-721.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{EAEF4273-2412-60BE-0100-00000000C401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-721.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{EAEF4273-2412-60BE-0100-00000000C401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-721.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{EAEF4273-2412-60BE-0100-00000000C401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-721.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{856D1934-D927-6113-0100-00000000E401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\umbus\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{856D1934-D927-6113-0100-00000000E401}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\xenfilt\\Enum\\19", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "19", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{856D1934-DA89-6113-0100-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "Sysmon.exe", "parent_process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_name": "Sysmon.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Sysmon.exe", "process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_guid": "{856D1934-DDF8-6113-4101-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\CheckRevocation", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "CheckRevocation", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "Sysmon.exe", "parent_process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_name": "Sysmon.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Sysmon.exe", "process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_guid": "{856D1934-DDF8-6113-4101-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\DnsLookup", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DnsLookup", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "Sysmon.exe", "parent_process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_name": "Sysmon.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Sysmon.exe", "process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_guid": "{856D1934-DDF8-6113-4101-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\HashingAlgorithm", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "HashingAlgorithm", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "Sysmon.exe", "parent_process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_name": "Sysmon.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Sysmon.exe", "process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_guid": "{856D1934-DDF8-6113-4101-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\Options", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Options", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "Sysmon.exe", "parent_process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_name": "Sysmon.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Sysmon.exe", "process": "Sysmon.exe -c \"C:\\Program Files\\ansible\\AttackRangeSysmon.xml\"", "process_guid": "{856D1934-DDF8-6113-4101-00000000E501}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\\Rules", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Rules", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "explorer.exe", "parent_process": "C:\\Windows\\Explorer.EXE /NOUACCHECK", "process_name": "lockbit.exe", "process_path": "C:\\Temp\\lockbit.exe", "process": "\"C:\\Temp\\lockbit.exe\"", "process_guid": "{856D1934-DE76-6113-5D01-00000000E501}", "registry_path": "HKU\\S-1-5-21-4098349297-3042404783-2477287307-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\XO1XADpO01", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "XO1XADpO01", "action": "allowed", "dest": "win-dc-837.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{E22C7671-DC5F-6113-0100-00000000E601}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-522", "user": "unknown"}, {"_time": "2025-12-10T04:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{634249FB-2B12-6137-0100-00000000F101}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-host-724.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5ABCFE62-8423-603E-0100-00000000AD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5ABCFE62-8423-603E-0100-00000000AD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5ABCFE62-8423-603E-0100-00000000AD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5ABCFE62-8423-603E-0100-00000000AD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-228.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{4DF467A6-3F3E-6132-0100-00000000F001}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-291.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zS828F2F75\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\config.ini", "process_guid": "{2CC55DE6-7027-5FB6-0000-001005592400}", "registry_path": "HKU\\S-1-5-21-547558961-129183590-1786388743-500_Classes\\*\\shell\\Firefox-308046B0AF4A39CB", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Firefox-308046B0AF4A39CB", "action": "allowed", "dest": "win-dc-480.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zS828F2F75\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsrC10.tmp\\config.ini", "process_guid": "{2CC55DE6-7027-5FB6-0000-001005592400}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AppId_Catalog\\1F97E3EE", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1F97E3EE", "action": "allowed", "dest": "win-dc-480.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{42DC5269-CE8E-6086-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-932.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{42DC5269-CE8E-6086-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-932.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{42DC5269-CE8E-6086-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-932.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{42DC5269-CE8E-6086-0100-00000000BA01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-932.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "aurora-agent.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{DAC7F284-9924-63CF-0100-00000000B102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-ctus-attack-range-759.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "aurora-agent.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{DAC7F284-9924-63CF-0100-00000000B102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-ctus-attack-range-759.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "aurora-agent.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{DAC7F284-9924-63CF-0100-00000000B102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-ctus-attack-range-759.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "aurora-agent.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{DAC7F284-9924-63CF-0100-00000000B102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-ctus-attack-range-759.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session2Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Keyboard0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0006", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0006", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Enum\\TERMINPUT_BUS\\UMB\\2&2c22bcc9&0&Session3Mouse0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0067", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0067", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{21761711-83A4-607D-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-5.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{BEA10069-D0B7-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-96.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{BEA10069-D0B7-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-96.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{BEA10069-D0B7-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-host-96.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T05:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{BEA10069-D0B7-6086-0100-00000000BB01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-host-96.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3BF36828-4B33-61E8-0100-00000000CF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-128.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3BF36828-4B33-61E8-0100-00000000CF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-128.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3BF36828-4B33-61E8-0100-00000000CF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-128.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{3BF36828-4B33-61E8-0100-00000000CF01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-128.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\0", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "0", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\umbus\\Enum\\1", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-7F11-614D-0100-00000000FC01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\xenfilt\\Enum\\20", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "20", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "lsass.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{5EBD8912-8CA0-6151-0100-00000000FD01}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Parport\\ModeCheckedStalled", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "ModeCheckedStalled", "action": "allowed", "dest": "win-dc-429.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "csrss.exe", "parent_process": "unknown", "process_name": "_vea.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\_vea.exe", "process": "unknown", "process_guid": "{00000000-0000-0000-0000-000000000000}", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Windows Defender", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T07:00:00.000+00:00", "parent_process_name": "csrss.exe", "parent_process": "unknown", "process_name": "_vea.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\_vea.exe", "process": "unknown", "process_guid": "{00000000-0000-0000-0000-000000000000}", "registry_path": "HKCR\\Drive\\shellex\\ContextMenuHandlers\\EPP", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "EPP", "action": "allowed", "dest": "win-dc-tcontreras-attack-range-173.attackrange.local", "user": "unknown"}, {"_time": "2025-12-10T08:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zSCA8F6AE7\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\config.ini", "process_guid": "{59A5CD1D-9457-6005-2B05-00000000A301}", "registry_path": "HKU\\S-1-5-21-2311372046-1276363322-545193238-500_Classes\\*\\shell\\Firefox-308046B0AF4A39CB", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Firefox-308046B0AF4A39CB", "action": "allowed", "dest": "win-dc-495.attackrange.local", "user": "Administrator"}, {"_time": "2025-12-10T08:00:00.000+00:00", "parent_process_name": "download.exe", "parent_process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\download.exe\" /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\config.ini", "process_name": "setup.exe", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7zSCA8F6AE7\\setup.exe", "process": ".\\setup.exe /LaunchedFromStub /INI=C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\nsoB111.tmp\\config.ini", "process_guid": "{59A5CD1D-9457-6005-2B05-00000000A301}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AppId_Catalog\\1F97E3EE", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "1F97E3EE", "action": "allowed", "dest": "win-dc-495.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\hivelist\\\\REGISTRY\\MACHINE\\DRIVERS", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "DRIVERS", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\kbdclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\mouclass\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\2", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "2", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "ProcessHacker.exe", "parent_process": "unknown", "process_name": "System", "process_path": "System", "process": "unknown", "process_guid": "{B58D6529-E268-62A1-0100-000000006102}", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\terminpt\\Enum\\3", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "3", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "unknown"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Session0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Owner", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Owner", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFiles0000", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFiles0000", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\RegFilesHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "RegFilesHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\Sequence", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "Sequence", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}, {"_time": "2026-01-23T22:00:00.000+00:00", "parent_process_name": "processhacker-2.39-setup.exe", "parent_process": "\"C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_name": "processhacker-2.39-setup.tmp", "process_path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp", "process": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\is-GPA4N.tmp\\processhacker-2.39-setup.tmp\" /SL5=\"$505A0,1874675,150016,C:\\Users\\Administrator\\Downloads\\processhacker-2.39-setup.exe\"", "process_guid": "{B58D6529-E923-62A1-7B03-000000006102}", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\RestartManager\\Session0000\\SessionHash", "registry_value_name": "unknown", "registry_value_data": "unknown", "registry_key_name": "SessionHash", "action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "user": "Administrator"}], "error": null} +{"file_name": "revil_registry_entry.yml", "description": "The following analytic identifies suspicious modifications in the registry entry, specifically targeting paths used by malware like REVIL. It detects changes in registry paths such as `SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant` and `SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications linked to process GUIDs. This activity is significant as it indicates potential malware persistence mechanisms, often used by advanced persistent threats (APTs) and ransomware. If confirmed malicious, this could allow attackers to maintain persistence, encrypt files, and store critical ransomware-related information on compromised hosts.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\Facebook_Assistant\\\\*\" OR Registry.registry_path=\"*\\\\SOFTWARE\\\\WOW6432Node\\\\BlackLivesMatter*\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `revil_registry_entry_filter`", "results": [{"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\AVPVtDwg", "registry_key_name": "Facebook_Assistant", "registry_value_data": "Binary Data", "registry_value_name": "AVPVtDwg", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\Lywu", "registry_key_name": "Facebook_Assistant", "registry_value_data": "Binary Data", "registry_value_name": "Lywu", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\WqDdDd", "registry_key_name": "Facebook_Assistant", "registry_value_data": "Binary Data", "registry_value_name": "WqDdDd", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\ghyYa4L", "registry_key_name": "Facebook_Assistant", "registry_value_data": ".589b1k31d", "registry_value_name": "ghyYa4L", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\xNyfI", "registry_key_name": "Facebook_Assistant", "registry_value_data": "Binary Data", "registry_value_name": "xNyfI", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "win-dc-410.attackrange.local", "process_guid": "{5F1D3C56-4646-60B7-7903-00000000C601}", "process_id": "5788", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\z4x", "registry_key_name": "Facebook_Assistant", "registry_value_data": "Binary Data", "registry_value_name": "z4x", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2"}], "error": null} +{"file_name": "windows_modify_registry_wustatusserver.yml", "description": "The following analytic identifies suspicious modifications to the Windows Update configuration registry, specifically targeting the WUStatusServer key. It leverages data from the Endpoint datamodel to detect changes in the registry path associated with Windows Update settings. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and persistent unauthorized access.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\WUStatusServer\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_wustatusserver_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_id": "6264", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUStatusServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C05-6442-7103-00000000DD02}", "process_id": "784", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUStatusServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:26", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8B03-00000000DD02}", "process_id": "344", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\WUStatusServer", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "WUStatusServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "enable_wdigest_uselogoncredential_registry.yml", "description": "The following analytic detects a suspicious registry modification that enables the plain text credential feature in Windows by setting the \"UseLogonCredential\" value to 1 in the WDigest registry path. This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is commonly used by malware and tools like Mimikatz to dump plain text credentials, indicating a potential credential dumping attempt. If confirmed malicious, this could allow an attacker to obtain sensitive credentials, leading to further compromise and lateral movement within the network.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "results": [{"action": "modified", "dest": "mswin-server.attackrange.local", "process_guid": "{EF490992-4DF6-644B-2A26-00000000CD02}", "process_id": "4664", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", "registry_key_name": "WDigest", "registry_value_data": "0x00000001", "registry_value_name": "UseLogonCredential", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-04-28T04:39:18", "lastTime": "2025-12-10T02:13:00"}, {"action": "modified", "dest": "win-dc-676.attackrange.local", "process_guid": "{6EDEAD03-032C-615C-5105-00000000FB01}", "process_id": "108", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", "registry_key_name": "WDigest", "registry_value_data": "0x00000001", "registry_value_name": "UseLogonCredential", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:16:26", "lastTime": "2025-12-10T07:16:26"}], "error": null} +{"file_name": "disabling_cmd_application.yml", "description": "The following analytic detects modifications to the registry that disable the CMD prompt application. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableCMD\" registry value. This activity is significant because disabling CMD can hinder an analyst's ability to investigate and remediate threats, a tactic often used by malware such as RATs, Trojans, or Worms. If confirmed malicious, this could prevent security teams from using CMD for directory and file traversal, complicating incident response and allowing the attacker to maintain persistence.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "results": [{"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3C01-00000000AE01}", "process_id": "2148", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "DisableCMD", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}], "error": null} +{"file_name": "remcos_client_registry_install_entry.yml", "description": "The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the \"license\" key is found in the \"Software\\Remcos\" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*\\\\Software\\\\Remcos*) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`remcos_client_registry_install_entry_filter`", "results": [{"action": "modified", "dest": "win-dc-966.attackrange.local", "process_guid": "{5097E253-961E-6149-3A2C-00000000FB01}", "process_id": "7644", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1292086698-2133823296-1489611813-500\\SOFTWARE\\remcos_gzufalnqzl\\EXEpath", "registry_key_name": "remcos_gzufalnqzl", "registry_value_data": "\u00a6\u00e1\u008fs6\\x11\u00fe\\x1D\u2014o\\x1D\u00fa\u201d\u00c9", "registry_value_name": "EXEpath", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-966.attackrange.local", "process_guid": "{5097E253-961E-6149-3A2C-00000000FB01}", "process_id": "7644", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1292086698-2133823296-1489611813-500\\SOFTWARE\\remcos_gzufalnqzl\\FR", "registry_key_name": "remcos_gzufalnqzl", "registry_value_data": "0x00000001", "registry_value_name": "FR", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3486-6238-6801-000000004102}", "process_id": "6328", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2182867758-2228517806-1658428495-500\\SOFTWARE\\Remcos-831TYD\\licence", "registry_key_name": "Remcos-831TYD", "registry_value_data": "(Empty)", "registry_value_name": "licence", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}], "error": null} +{"file_name": "windows_modify_registry_tamper_protection.yml", "description": "The following analytic detects a suspicious modification to the Windows Defender Tamper Protection registry setting. It leverages data from the Endpoint datamodel, specifically targeting changes where the registry path is set to disable Tamper Protection. This activity is significant because disabling Tamper Protection can allow adversaries to make further undetected changes to Windows Defender settings, potentially leading to reduced security on the system. If confirmed malicious, this could enable attackers to evade detection, persist in the environment, and execute further malicious activities without interference from Windows Defender.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" AND Registry.registry_value_data=\"0x00000000\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_tamper_protection_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-7D03-00000000DD02}", "process_id": "3460", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection", "registry_key_name": "Features", "registry_value_data": "0x00000000", "registry_value_name": "TamperProtection", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_impair_defenses_disable_av_autostart_via_registry.yml", "description": "The following analytic detects modifications to the registry related to the disabling of autostart functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN(\"*\\\\kingsoft\\\\antivirus\\\\KAVReport\\\\*\" , \"*\\\\kingsoft\\\\antivirus\\\\KSetting\\\\*\", \"*\\\\kingsoft\\\\antivirus\\\\Windhunter\\\\*\" ,\"*\\\\Tencent\\\\QQPCMgr\\\\*\") AND ((Registry.registry_value_name IN(\"autostart\",\"kxesc\", \"WindhunterSwitch\") AND Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_value_name = \"WindhunterLevel\" AND Registry.registry_value_data = \"0x00000004\")) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defenses_disable_av_autostart_via_registry_filter`", "results": [{"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-1480-66df-7405-000000009402}", "process_id": "6492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\kingsoft\\antivirus\\KAVReport\\AutoStart", "registry_key_name": "KAVReport", "registry_value_data": "0x00000000", "registry_value_name": "AutoStart", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-1480-66df-7405-000000009402}", "process_id": "6492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\kingsoft\\antivirus\\KSetting\\kxesc", "registry_key_name": "KSetting", "registry_value_data": "0x00000000", "registry_value_name": "kxesc", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-1480-66df-7405-000000009402}", "process_id": "6492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\kingsoft\\antivirus\\Windhunter\\WindhunterLevel", "registry_key_name": "Windhunter", "registry_value_data": "0x00000004", "registry_value_name": "WindhunterLevel", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-1480-66df-7405-000000009402}", "process_id": "6492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\kingsoft\\antivirus\\Windhunter\\WindhunterSwitch", "registry_key_name": "Windhunter", "registry_value_data": "0x00000000", "registry_value_name": "WindhunterSwitch", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}], "error": null} +{"file_name": "windows_modify_registry_valleyrat_pwn_reg_entry.yml", "description": "The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*.pwn\\\\Shell\\\\Open\\\\command\" OR Registry.registry_value_data = \".pwn\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`", "results": [{"action": "deleted", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-287a-66e0-561d-000000009402}", "process_id": "2812", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500_Classes\\.pwn\\Shell\\Open\\command", "registry_key_name": "command", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-281a-66e0-431d-000000009402}", "process_id": "4636", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500_Classes\\ms-settings\\CurVer\\(Default)", "registry_key_name": "CurVer", "registry_value_data": ".pwn", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-286d-66e0-541d-000000009402}", "process_id": "3820", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500_Classes\\ms-settings\\CurVer\\(Default)", "registry_key_name": "CurVer", "registry_value_data": ".pwn", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4"}], "error": null} +{"file_name": "windows_runmru_registry_key_or_value_deleted.yml", "description": "The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU*\" Registry.action = deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_registry_key_or_value_deleted_filter`", "results": [{"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\MRUList", "registry_key_name": "MRUList", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\a", "registry_key_name": "a", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\b", "registry_key_name": "b", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\c", "registry_key_name": "c", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\d", "registry_key_name": "d", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\e", "registry_key_name": "e", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\f", "registry_key_name": "f", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\g", "registry_key_name": "g", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\h", "registry_key_name": "h", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-11-14T10:09:39"}, {"action": "deleted", "dest": "ar-win-dc", "process_guid": "{CA8A6768-FFA9-6916-9303-000000000304}", "process_id": "1436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1508665847-1927431286-59614149-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\i", "registry_key_name": "i", "registry_value_data": "unknown", "registry_value_name": "unknown", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-11-14T10:09:39", "lastTime": "2025-12-10T02:11:30"}], "error": null} +{"file_name": "windows_set_network_profile_category_to_private_via_registry.yml", "description": "The following analytic detects attempts to modify the Windows Registry to change a network profile's category to \"Private\", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification\u2014especially outside standard IT processes or correlated with persistence mechanisms\u2014can help identify stealthy post-exploitation activity.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\NetworkList\\\\Profiles\\\\*\" Registry.registry_value_name = \"Category\" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_set_network_profile_category_to_private_via_registry_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{03D06954-0199-65BC-1200-000000004603}", "process_id": "364", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{C4CE6D26-C658-4895-975D-DA915CA76167}\\Category", "registry_key_name": "{C4CE6D26-C658-4895-975D-DA915CA76167}", "registry_value_data": "0x00000001", "registry_value_name": "Category", "registry_value_type": "REG_DWORD", "status": "success", "user": "LOCAL SERVICE", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2024-02-01T20:55:22", "lastTime": "2025-12-10T07:32:30"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{E4B49A97-F6D1-6891-6201-00000000F403}", "process_id": "2764", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\Category", "registry_key_name": "Profiles", "registry_value_data": "0x00000001", "registry_value_name": "Category", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-08-05T12:19:29", "lastTime": "2025-12-10T02:11:00"}], "error": null} +{"file_name": "windows_disable_lock_workstation_feature_through_registry.yml", "description": "The following analytic detects a suspicious registry modification that disables the Lock Computer feature in Windows. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" with a value of \"0x00000001\". This activity is significant because it prevents users from locking their screens, a tactic often used by malware, including ransomware, to maintain control over compromised systems. If confirmed malicious, this could allow attackers to sustain their presence and execute further malicious actions without user interruption.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2FEA-6227-D108-000000003602}", "process_id": "5884", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "DisableLockWorkstation", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:28:58", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "windows_modify_registry_disable_restricted_admin.yml", "description": "The following analytic detects modifications to the Windows registry entry \"DisableRestrictedAdmin,\" which controls the Restricted Admin mode behavior. This detection leverages registry activity logs from endpoint data sources like Sysmon or Carbon Black. Monitoring this activity is crucial as changes to this setting can disable a security feature that limits credential exposure during remote connections. If confirmed malicious, an attacker could weaken security controls, increasing the risk of credential theft and unauthorized access to sensitive systems.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin\" Registry.registry_value_data = 0x00000000) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_restricted_admin_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{AE77D3C2-1D02-657B-EA03-000000003403}", "process_id": "4312", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin", "registry_key_name": "Lsa", "registry_value_data": "0x00000000", "registry_value_name": "DisableRestrictedAdmin", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-12-14T15:19:30", "lastTime": "2023-12-14T15:19:30"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{AE77D3C2-1D23-657B-FC03-000000003403}", "process_id": "4108", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin", "registry_key_name": "Lsa", "registry_value_data": "0x00000000", "registry_value_name": "DisableRestrictedAdmin", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-12-14T15:20:03", "lastTime": "2023-12-14T15:20:03"}], "error": null} +{"file_name": "disabling_controlpanel.yml", "description": "The following analytic detects registry modifications that disable the Control Panel on Windows systems. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" with a value of \"0x00000001\". This activity is significant as it is commonly used by malware to prevent users from accessing the Control Panel, thereby hindering the removal of malicious artifacts and persistence mechanisms. If confirmed malicious, this could allow attackers to maintain control over the infected machine and prevent remediation efforts.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{03D06954-22D8-65BC-EC03-000000004703}", "process_id": "4752", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3344543075-1022232225-2459664213-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2024-02-01T23:07:08", "lastTime": "2025-12-10T07:32:30"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3E01-00000000AE01}", "process_id": "2688", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3F01-00000000AE01}", "process_id": "4156", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9C08-000000003602}", "process_id": "5180", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoControlPanel", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:17", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "windows_modify_registry_to_add_or_modify_firewall_rule.yml", "description": "The following analytic detects a potential addition or modification of firewall rules, signaling possible configuration changes or security policy adjustments. It tracks commands such as netsh advfirewall firewall add rule and netsh advfirewall firewall set rule, which may indicate attempts to alter network access controls. Monitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.action = modified by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_to_add_or_modify_firewall_rule_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{848A6B75-314B-6675-1500-000000000B03}", "process_id": "1128", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0D807408-8157-49B9-ACFC-0B5C15B1119E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\MyApp\\MyApp1.exe|Name=Mytestfirewal1|", "registry_value_name": "{0D807408-8157-49B9-ACFC-0B5C15B1119E}", "registry_value_type": "unknown", "status": "success", "user": "LOCAL SERVICE", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2024-06-21T09:23:13", "lastTime": "2024-06-21T09:23:13"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{107DBA90-A73E-4B9C-B437-C2393E78260F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{107DBA90-A73E-4B9C-B437-C2393E78260F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2F0D54CA-144D-4C91-89B8-0FB22448801D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\\Windows\\dwm.exe|Name=dwm.exe|", "registry_value_name": "{2F0D54CA-144D-4C91-89B8-0FB22448801D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{36FFDC65-02FE-4835-882E-981304CD31F3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{36FFDC65-02FE-4835-882E-981304CD31F3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3F320D70-3763-4357-871D-5425D85D98D9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3F320D70-3763-4357-871D-5425D85D98D9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{56884448-C549-45B9-9411-D12CCCA5A3B3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{56884448-C549-45B9-9411-D12CCCA5A3B3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{60021318-FA04-47A4-98C8-D693E6354A32}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\\Windows\\dwm.exe|Name=dwm.exe|", "registry_value_name": "{60021318-FA04-47A4-98C8-D693E6354A32}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6E47F48E-3F05-4A2F-BE6D-BBF116B69F45}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6E47F48E-3F05-4A2F-BE6D-BBF116B69F45}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8F17E110-0455-42E9-9A92-FB4ACF71ECCA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8F17E110-0455-42E9-9A92-FB4ACF71ECCA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9CB6210D-D372-4B96-A9F3-3E45C3743FA0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9CB6210D-D372-4B96-A9F3-3E45C3743FA0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9FBE8EA0-5DAA-47E6-8BBA-F026F023E2DD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9FBE8EA0-5DAA-47E6-8BBA-F026F023E2DD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A3A0C9F4-68D7-447E-9710-C33957846A65}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A3A0C9F4-68D7-447E-9710-C33957846A65}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{ABE1BAD9-DFA7-43C0-B61B-2C403206DA92}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{ABE1BAD9-DFA7-43C0-B61B-2C403206DA92}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "project-london-host", "process_guid": "{4C77B871-9763-6086-1300-00000000BB01}", "process_id": "316", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C74B4BD9-AF0A-4561-80F5-5B869F78D92A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3702483257-3215672389-2999096046-1008|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C74B4BD9-AF0A-4561-80F5-5B869F78D92A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:15", "lastTime": "2025-12-09T22:41:15"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-3494-6112-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{49dcdfda-5f3f-4de0-9a45-6ee94382bda9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2330|Name=New RDP Port 2330|", "registry_value_name": "{49dcdfda-5f3f-4de0-9a45-6ee94382bda9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-3494-6112-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{cae4bc59-062b-4ccb-b968-27b0f5aa5d13}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2330|Name=New RDP Port 2330|", "registry_value_name": "{cae4bc59-062b-4ccb-b968-27b0f5aa5d13}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{073C8BCF-57E5-4EFF-A6B3-BA3B952AC501}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{073C8BCF-57E5-4EFF-A6B3-BA3B952AC501}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{09EEE5DF-4473-4117-8EBA-614B8043038E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{09EEE5DF-4473-4117-8EBA-614B8043038E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3A28C35A-74B0-4192-9989-417E403A2CD2}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3A28C35A-74B0-4192-9989-417E403A2CD2}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3E1B8389-EC49-4419-879C-E39D12813A4C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3E1B8389-EC49-4419-879C-E39D12813A4C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4532D913-BA3E-42EC-BA15-7C476144B347}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4532D913-BA3E-42EC-BA15-7C476144B347}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4B9E9B3E-742E-41E6-9C8F-2C77AA5DB0F3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4B9E9B3E-742E-41E6-9C8F-2C77AA5DB0F3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{51674281-8ED5-4DC6-BDA7-72F4C7A5AD10}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{51674281-8ED5-4DC6-BDA7-72F4C7A5AD10}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6112E92F-432A-4E3A-840C-0C44FD92C09F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6112E92F-432A-4E3A-840C-0C44FD92C09F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{895CF97E-892E-48C9-9B95-9E583FFA59BF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{895CF97E-892E-48C9-9B95-9E583FFA59BF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CCBB62AD-B0AA-4F5D-AA1B-E458A7A4AB82}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CCBB62AD-B0AA-4F5D-AA1B-E458A7A4AB82}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-185.attackrange.local", "process_guid": "{8D4DD44E-5BA9-616D-1500-000000000402}", "process_id": "1248", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F2E8EE33-707C-4B87-B75F-FFD35C173E2C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3740187008-2201179595-1268207648-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F2E8EE33-707C-4B87-B75F-FFD35C173E2C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:37:07", "lastTime": "2025-12-09T22:37:07"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{20F73E36-6666-4BC1-869E-07443520F75B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{20F73E36-6666-4BC1-869E-07443520F75B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{29120AE5-A26B-4F2B-ABF3-0B231F21F3A9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{29120AE5-A26B-4F2B-ABF3-0B231F21F3A9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{313F6C8B-F3DB-4FE1-A04F-BE97D49C8CB6}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{313F6C8B-F3DB-4FE1-A04F-BE97D49C8CB6}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{40439B97-87C6-4DB5-99F7-4DB91148AE6A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{40439B97-87C6-4DB5-99F7-4DB91148AE6A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{61F15E98-6BBB-427E-9CF3-99FAC939C0AA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{61F15E98-6BBB-427E-9CF3-99FAC939C0AA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{748C4C0C-E6DE-47F0-8325-9D3B68C0670E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{748C4C0C-E6DE-47F0-8325-9D3B68C0670E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{847DDBE7-AE23-4969-8DC5-07E295C19487}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{847DDBE7-AE23-4969-8DC5-07E295C19487}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{86E71834-E06E-41C9-BE2E-FC09FAEA74CE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{86E71834-E06E-41C9-BE2E-FC09FAEA74CE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9CB731CC-03C7-4AFD-8625-1E5EB18A165B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9CB731CC-03C7-4AFD-8625-1E5EB18A165B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B3AC672B-C068-41DA-AA37-97FE6DC0C712}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B3AC672B-C068-41DA-AA37-97FE6DC0C712}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-28FE-6137-1500-00000000F001}", "process_id": "1196", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EB88B855-90B2-4880-984A-1DC6B047FAEC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-701328404-3962279559-3904273332-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{EB88B855-90B2-4880-984A-1DC6B047FAEC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0E4561D6-2E0C-4EA0-950E-558F39D57CCB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{0E4561D6-2E0C-4EA0-950E-558F39D57CCB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2E5B73DB-8F4F-4284-A3FA-4BBC162AD107}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{2E5B73DB-8F4F-4284-A3FA-4BBC162AD107}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{457A4E82-C847-4783-8365-6E6FDE4A2E77}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{457A4E82-C847-4783-8365-6E6FDE4A2E77}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{45E7D6A2-EB40-4E99-A5C3-96678EEC7069}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{45E7D6A2-EB40-4E99-A5C3-96678EEC7069}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{95F2E53C-4851-4B09-99B3-6CB5B9B433BC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{95F2E53C-4851-4B09-99B3-6CB5B9B433BC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9BEB18F0-9FD5-4D43-A8DA-2864CDAABC6D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9BEB18F0-9FD5-4D43-A8DA-2864CDAABC6D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BA7EADDC-CAA7-49FA-BBC6-C65B505BCBF4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BA7EADDC-CAA7-49FA-BBC6-C65B505BCBF4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D40708E4-A2FA-4D33-927D-319ACB05B90F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D40708E4-A2FA-4D33-927D-319ACB05B90F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E4844226-8EEB-43E4-AE12-F0A79328AB4A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E4844226-8EEB-43E4-AE12-F0A79328AB4A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E578FAE8-CBF7-48E6-96B3-BA41C552024F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E578FAE8-CBF7-48E6-96B3-BA41C552024F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-235.attackrange.local", "process_guid": "{2935EF20-8EFB-5FD0-0000-001087F20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{ECF9305F-41F6-43A2-92C7-0BCE77A82053}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-1437397836-63413453-3273824210-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{ECF9305F-41F6-43A2-92C7-0BCE77A82053}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{14BE8CCD-FAE6-4A55-BA48-AD000E42701D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{14BE8CCD-FAE6-4A55-BA48-AD000E42701D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1851F559-3766-47C8-A5FD-17B8705CAC4B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{1851F559-3766-47C8-A5FD-17B8705CAC4B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3393F051-6B4E-4258-821E-A8987A5563CD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3393F051-6B4E-4258-821E-A8987A5563CD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{39943FFE-0825-47ED-9BAC-9AC127AB7A1E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{39943FFE-0825-47ED-9BAC-9AC127AB7A1E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{82B4FCF2-6949-4A2B-AD8B-032D57DC511B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{82B4FCF2-6949-4A2B-AD8B-032D57DC511B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9073E6D2-25D1-4FB8-9BB5-93EA544A493D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9073E6D2-25D1-4FB8-9BB5-93EA544A493D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{96C982DA-653D-4412-9A24-CE45F45B1834}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{96C982DA-653D-4412-9A24-CE45F45B1834}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9869EDEC-4A65-41BC-B0E1-14594554FC6B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9869EDEC-4A65-41BC-B0E1-14594554FC6B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A10D4DE3-67BF-455C-A44D-273C37318D69}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A10D4DE3-67BF-455C-A44D-273C37318D69}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E7843651-01C2-43F0-879A-E492E501418C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E7843651-01C2-43F0-879A-E492E501418C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-250.attackrange.local", "process_guid": "{08A6967A-4288-6000-1600-000000009A01}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FC682AA0-D3E2-421C-AF98-A6C847834199}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2738482597-1131698221-3520544381-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FC682AA0-D3E2-421C-AF98-A6C847834199}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{70BE3EB3-DADA-4626-9EDB-964427437A5A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{70BE3EB3-DADA-4626-9EDB-964427437A5A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7FFCCF8D-DB94-4A53-AD00-C5FCBAE92CF7}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7FFCCF8D-DB94-4A53-AD00-C5FCBAE92CF7}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8EEBA8F3-64AB-432D-9BA2-A1C63F56E2EB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8EEBA8F3-64AB-432D-9BA2-A1C63F56E2EB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{93D47BAE-5093-401C-B4BC-BF4D3C488038}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{93D47BAE-5093-401C-B4BC-BF4D3C488038}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9EB449E5-588F-4FF8-97EA-FEF0E9B92FD8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9EB449E5-588F-4FF8-97EA-FEF0E9B92FD8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CB004B91-C455-4FA2-8BDD-4DA8C118CB72}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CB004B91-C455-4FA2-8BDD-4DA8C118CB72}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D05F2B9C-C645-4DD2-8262-02D33DE76E67}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D05F2B9C-C645-4DD2-8262-02D33DE76E67}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E1586CBE-96E1-43B7-AF24-9129B974D509}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E1586CBE-96E1-43B7-AF24-9129B974D509}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E2598FAE-3803-40BA-B85E-0F60DE645A25}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E2598FAE-3803-40BA-B85E-0F60DE645A25}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E64C5C41-BDBD-400C-B1DC-E94291BE4F7A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E64C5C41-BDBD-400C-B1DC-E94291BE4F7A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-F88C-605A-1500-00000000AE01}", "process_id": "1480", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FBA7BD5B-01C8-4EB7-A357-11A8EB1599DD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-1395536936-211942639-3556811650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FBA7BD5B-01C8-4EB7-A357-11A8EB1599DD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-B626-607E-1500-00000000BB01}", "process_id": "1496", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{30389C35-B5C1-4478-B14F-E946DE9764AB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{30389C35-B5C1-4478-B14F-E946DE9764AB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:58:21", "lastTime": "2025-12-10T04:58:21"}, {"action": "modified", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-B626-607E-1500-00000000BB01}", "process_id": "1496", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3D36583A-4BFA-4254-B748-97E29797485F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=6004|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\outlook.exe|Name=Microsoft Office Outlook|", "registry_value_name": "{3D36583A-4BFA-4254-B748-97E29797485F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:58:21", "lastTime": "2025-12-10T04:58:21"}, {"action": "modified", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-B626-607E-1500-00000000BB01}", "process_id": "1496", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4127FD87-446C-4A37-8920-CEDA59976D8B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{4127FD87-446C-4A37-8920-CEDA59976D8B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:58:21", "lastTime": "2025-12-10T04:58:21"}, {"action": "modified", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-B626-607E-1500-00000000BB01}", "process_id": "1496", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{91DA7D1C-947D-482B-B400-AFCAD99ACC23}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{91DA7D1C-947D-482B-B400-AFCAD99ACC23}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:58:21", "lastTime": "2025-12-10T04:58:21"}, {"action": "modified", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-B626-607E-1500-00000000BB01}", "process_id": "1496", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DA91CA72-CCBD-48F5-A919-84693B7B70A9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{DA91CA72-CCBD-48F5-A919-84693B7B70A9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:58:21", "lastTime": "2025-12-10T04:58:21"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-DCOM-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=135|App=%%systemroot%%\\system32\\svchost.exe|Svc=RPCSS|Name=@fssmres.dll,-103|Desc=@fssmres.dll,-104|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-DCOM-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-SMB-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@fssmres.dll,-105|Desc=@fssmres.dll,-106|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-SMB-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-Winmgmt-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%%systemroot%%\\system32\\svchost.exe|Svc=Winmgmt|Name=@fssmres.dll,-101|Desc=@fssmres.dll,-102|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-Winmgmt-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0F979271-BDBA-46B3-9003-AD64A5434E3E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{0F979271-BDBA-46B3-9003-AD64A5434E3E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{45B19AD4-1ADA-4660-857D-86257A7BD2C4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{45B19AD4-1ADA-4660-857D-86257A7BD2C4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{46CB1AA9-1048-4957-BE67-67234AF0F15B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{46CB1AA9-1048-4957-BE67-67234AF0F15B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{53DD44BA-E2C5-4E18-BC3E-B6EE3B85D82E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{53DD44BA-E2C5-4E18-BC3E-B6EE3B85D82E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{59F59BD8-FA64-4C90-8A70-87B96964898A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{59F59BD8-FA64-4C90-8A70-87B96964898A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6B1B6E90-D1EC-418A-AE5B-8589C8AD6904}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6B1B6E90-D1EC-418A-AE5B-8589C8AD6904}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7B1528B5-00B7-4C5D-A266-DD1F54ECD4FF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7B1528B5-00B7-4C5D-A266-DD1F54ECD4FF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{82C0D4FA-56D8-436E-BA20-A6AE99194D8D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{82C0D4FA-56D8-436E-BA20-A6AE99194D8D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{AFD54E67-D17A-4B81-A5D7-5CFC6D3FAECB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{AFD54E67-D17A-4B81-A5D7-5CFC6D3FAECB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F390E2CD-DF7E-4F1F-BDDC-ECF9BD338395}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F390E2CD-DF7E-4F1F-BDDC-ECF9BD338395}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E4B6-60C1-1500-00000000C401}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FD2D2A0C-CB8D-4764-8FF2-EDDEC1AA2697}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-986166657-4127868789-2511509191-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FD2D2A0C-CB8D-4764-8FF2-EDDEC1AA2697}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP4-ERQ-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Domain|Profile=Private|Profile=Public|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP4-ERQ-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP4-ERQ-Out", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Domain|Profile=Private|Profile=Public|ICMP4=8:*|Name=@FirewallAPI.dll,-28544|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP4-ERQ-Out", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP6-ERQ-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Domain|Profile=Private|Profile=Public|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP6-ERQ-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP6-ERQ-Out", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Domain|Profile=Private|Profile=Public|ICMP6=128:*|Name=@FirewallAPI.dll,-28546|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP6-ERQ-Out", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-LLMNR-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28548|Desc=@FirewallAPI.dll,-28549|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-LLMNR-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-LLMNR-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28550|Desc=@FirewallAPI.dll,-28551|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-LLMNR-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Datagram-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|LPort=138|App=System|Name=@FirewallAPI.dll,-28527|Desc=@FirewallAPI.dll,-28530|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Datagram-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Datagram-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|RPort=138|App=System|Name=@FirewallAPI.dll,-28531|Desc=@FirewallAPI.dll,-28534|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Datagram-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Name-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|LPort=137|App=System|Name=@FirewallAPI.dll,-28519|Desc=@FirewallAPI.dll,-28522|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Name-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Name-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|Profile=Public|RPort=137|App=System|Name=@FirewallAPI.dll,-28523|Desc=@FirewallAPI.dll,-28526|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Name-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Session-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=139|App=System|Name=@FirewallAPI.dll,-28503|Desc=@FirewallAPI.dll,-28506|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Session-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Session-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|RPort=139|App=System|Name=@FirewallAPI.dll,-28507|Desc=@FirewallAPI.dll,-28510|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Session-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-RPCSS-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=RPC-EPMap|Svc=Rpcss|Name=@FirewallAPI.dll,-28539|Desc=@FirewallAPI.dll,-28542|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-RPCSS-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SMB-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=445|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SMB-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SMB-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|RPort=445|App=System|Name=@FirewallAPI.dll,-28515|Desc=@FirewallAPI.dll,-28518|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SMB-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SpoolSvc-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=RPC|App=%%SystemRoot%%\\system32\\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SpoolSvc-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-FDPHOST-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=fdphost|Name=@FirewallAPI.dll,-32785|Desc=@FirewallAPI.dll,-32788|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-FDPHOST-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-FDPHOST-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=fdphost|Name=@FirewallAPI.dll,-32789|Desc=@FirewallAPI.dll,-32792|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-FDPHOST-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-FDRESPUB-WSD-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=fdrespub|Name=@FirewallAPI.dll,-32809|Desc=@FirewallAPI.dll,-32810|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-FDRESPUB-WSD-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-FDRESPUB-WSD-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=fdrespub|Name=@FirewallAPI.dll,-32811|Desc=@FirewallAPI.dll,-32812|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-FDRESPUB-WSD-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-LLMNR-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-32801|Desc=@FirewallAPI.dll,-32804|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-LLMNR-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-LLMNR-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-32805|Desc=@FirewallAPI.dll,-32808|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-LLMNR-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-NB_Datagram-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=138|App=System|Name=@FirewallAPI.dll,-32777|Desc=@FirewallAPI.dll,-32780|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-NB_Datagram-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-NB_Datagram-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=138|App=System|Name=@FirewallAPI.dll,-32781|Desc=@FirewallAPI.dll,-32784|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-NB_Datagram-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-NB_Name-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=137|App=System|Name=@FirewallAPI.dll,-32769|Desc=@FirewallAPI.dll,-32772|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-NB_Name-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-NB_Name-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=137|App=System|Name=@FirewallAPI.dll,-32773|Desc=@FirewallAPI.dll,-32776|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-NB_Name-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-SSDPSrv-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=Ssdpsrv|Name=@FirewallAPI.dll,-32753|Desc=@FirewallAPI.dll,-32756|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-SSDPSrv-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-SSDPSrv-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=Ssdpsrv|Name=@FirewallAPI.dll,-32757|Desc=@FirewallAPI.dll,-32760|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-SSDPSrv-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-UPnP-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=upnphost|Name=@FirewallAPI.dll,-32821|Desc=@FirewallAPI.dll,-32822|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-UPnP-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-UPnPHost-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2869|App=System|Name=@FirewallAPI.dll,-32761|Desc=@FirewallAPI.dll,-32764|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-UPnPHost-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-UPnPHost-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=2869|App=System|Name=@FirewallAPI.dll,-32765|Desc=@FirewallAPI.dll,-32768|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-UPnPHost-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-WSDEVNT-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=5357|App=System|Name=@FirewallAPI.dll,-32817|Desc=@FirewallAPI.dll,-32818|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-WSDEVNT-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-WSDEVNT-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=5357|App=System|Name=@FirewallAPI.dll,-32819|Desc=@FirewallAPI.dll,-32820|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-WSDEVNT-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-WSDEVNTS-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=5358|App=System|Name=@FirewallAPI.dll,-32813|Desc=@FirewallAPI.dll,-32814|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-WSDEVNTS-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-385.attackrange.local", "process_guid": "{D8DCB3A2-4534-60D0-1500-00000000D001}", "process_id": "1260", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\NETDIS-WSDEVNTS-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=5358|App=System|Name=@FirewallAPI.dll,-32815|Desc=@FirewallAPI.dll,-32816|EmbedCtxt=@FirewallAPI.dll,-32752|", "registry_value_name": "NETDIS-WSDEVNTS-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:46", "lastTime": "2025-12-09T22:45:46"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{01840C1C-B259-4AB7-8E7F-05EC438746B9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{01840C1C-B259-4AB7-8E7F-05EC438746B9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34E09A4E-C5AC-45E0-AEDD-A44838B563EC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{34E09A4E-C5AC-45E0-AEDD-A44838B563EC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{48E3F7FB-1BA0-4D69-808F-C28B9CED76D1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\\Program Files\\Mozilla Firefox\\firefox.exe|Name=Firefox (C:\\Program Files\\Mozilla Firefox)|", "registry_value_name": "{48E3F7FB-1BA0-4D69-808F-C28B9CED76D1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{67EA7CBD-FFDC-4C9B-AF10-BFC1F591687F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\\Program Files\\Mozilla Firefox\\firefox.exe|Name=Firefox (C:\\Program Files\\Mozilla Firefox)|", "registry_value_name": "{67EA7CBD-FFDC-4C9B-AF10-BFC1F591687F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6C866F19-C118-4CBE-A9EF-ABAE6EEDB254}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6C866F19-C118-4CBE-A9EF-ABAE6EEDB254}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7C87B27E-B5BD-489E-A8D1-C7DEDDCF14E1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7C87B27E-B5BD-489E-A8D1-C7DEDDCF14E1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8F4D24B9-9419-41E0-892B-6413FCC175CC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8F4D24B9-9419-41E0-892B-6413FCC175CC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{93255307-7D6E-4DF6-8A4F-E968878269F4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{93255307-7D6E-4DF6-8A4F-E968878269F4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B8F02D4C-E8BC-403D-BAFB-C388CC92C2B1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B8F02D4C-E8BC-403D-BAFB-C388CC92C2B1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BFC8C8C5-FCFE-4001-A38C-F321018BCFCE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BFC8C8C5-FCFE-4001-A38C-F321018BCFCE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C214587B-AAFF-458B-9357-E9EE98E857BF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C214587B-AAFF-458B-9357-E9EE98E857BF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CF8FE2DA-6F66-43D3-9CF1-6DF8EF5206F2}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CF8FE2DA-6F66-43D3-9CF1-6DF8EF5206F2}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-B390-6006-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D11EDC2E-F419-439A-B073-8D0702BCE785}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2777022995-896493958-3632306852-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{D11EDC2E-F419-439A-B073-8D0702BCE785}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2A1FA4D1-C26A-4564-8866-7104229B4B61}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{2A1FA4D1-C26A-4564-8866-7104229B4B61}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{58E4A5D3-7E16-4009-8BF0-E30AFC996087}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{58E4A5D3-7E16-4009-8BF0-E30AFC996087}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5AF2EC4F-1A32-4BB2-9810-4D233850EA57}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{5AF2EC4F-1A32-4BB2-9810-4D233850EA57}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6AB423A6-20EA-4DA3-A865-667C0F9BBA72}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6AB423A6-20EA-4DA3-A865-667C0F9BBA72}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7FA31C9E-9710-4315-B20C-F8A20CBB24CA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7FA31C9E-9710-4315-B20C-F8A20CBB24CA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{94751B5C-579E-4BEA-8FF6-690FBB7CBFD0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{94751B5C-579E-4BEA-8FF6-690FBB7CBFD0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BDFDE681-9BAD-4122-91A2-D77F20E8D075}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BDFDE681-9BAD-4122-91A2-D77F20E8D075}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C8AC9916-8B7A-405C-A6A1-54B7AA4F1C86}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C8AC9916-8B7A-405C-A6A1-54B7AA4F1C86}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DAC590BD-0FAB-4036-A1E2-2C4A42F09FF4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{DAC590BD-0FAB-4036-A1E2-2C4A42F09FF4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E4C73B3D-F54E-447A-A7AA-859D25059871}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E4C73B3D-F54E-447A-A7AA-859D25059871}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-7F30-614D-1500-00000000FC01}", "process_id": "1216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E607C98C-A5BE-4898-BB6E-011BA6C453A8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2741910449-3045839080-4200281267-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E607C98C-A5BE-4898-BB6E-011BA6C453A8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1AFC97F3-C1FD-47EA-8DCC-7FFA729200C3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1AFC97F3-C1FD-47EA-8DCC-7FFA729200C3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{42639513-1378-43CE-95B2-DF37E33A4EB6}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{42639513-1378-43CE-95B2-DF37E33A4EB6}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4FA9D801-FCE8-4B4D-B9EB-5BF44F8DCE89}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4FA9D801-FCE8-4B4D-B9EB-5BF44F8DCE89}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{74B893AE-BD8B-41DF-8B57-1533F005042F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{74B893AE-BD8B-41DF-8B57-1533F005042F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{78D36AA7-6091-40B1-B67B-4AC379B6C1BB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{78D36AA7-6091-40B1-B67B-4AC379B6C1BB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{97DE9BB6-7903-4465-841C-D32AA667C44E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{97DE9BB6-7903-4465-841C-D32AA667C44E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9CE4C4FD-097E-41B8-84BC-C579BB1A5039}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9CE4C4FD-097E-41B8-84BC-C579BB1A5039}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9D86A1CE-75BA-4B23-A703-9ACED3C5D39C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{9D86A1CE-75BA-4B23-A703-9ACED3C5D39C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A10BE70E-AF93-449E-890D-E1BE7E8FBC68}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A10BE70E-AF93-449E-890D-E1BE7E8FBC68}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C5DF6C80-EFCB-4A6C-A4D5-049711BFDF01}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C5DF6C80-EFCB-4A6C-A4D5-049711BFDF01}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{7E531255-3C72-5FCF-0000-001066F10000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DBCEFEE6-C23C-46DB-9CF2-FCEDD33754BC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-645112074-2951002314-2636596254-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DBCEFEE6-C23C-46DB-9CF2-FCEDD33754BC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{145A1A83-E1E5-44FB-A1F1-CB238CBC4985}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{145A1A83-E1E5-44FB-A1F1-CB238CBC4985}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3B17D076-DE77-4C02-A8FF-50A125E3C550}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3B17D076-DE77-4C02-A8FF-50A125E3C550}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{41B05ED9-BA06-4E78-A0D7-525C4EA04B8E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{41B05ED9-BA06-4E78-A0D7-525C4EA04B8E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8200FC42-5139-4A82-8FE3-12340A387F4A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8200FC42-5139-4A82-8FE3-12340A387F4A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8300D201-A9C5-4D4D-98AE-43574E1A7B58}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8300D201-A9C5-4D4D-98AE-43574E1A7B58}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9E7FEBD7-3FDB-4362-9FF5-EFBC49282595}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{9E7FEBD7-3FDB-4362-9FF5-EFBC49282595}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A859B73B-6223-489C-9219-9D32E64F4910}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A859B73B-6223-489C-9219-9D32E64F4910}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B948967A-0FD0-4FDB-AECF-36AE1E670428}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B948967A-0FD0-4FDB-AECF-36AE1E670428}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9BA893C-159F-488E-8EA4-1FDFC132F304}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B9BA893C-159F-488E-8EA4-1FDFC132F304}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CF3AB79B-1211-4408-8606-B0E38EB43E9C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CF3AB79B-1211-4408-8606-B0E38EB43E9C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-431.attackrange.local", "process_guid": "{B0A3CCD1-901E-5FCF-0000-00104BF20000}", "process_id": "1592", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F72F7B9E-16FA-48FE-8297-B1C10FB1D0F1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2463588093-886853371-3342197318-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F72F7B9E-16FA-48FE-8297-B1C10FB1D0F1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{16EEDFF0-8258-4DDA-ADAA-88B2AFC2E471}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\\Program Files\\Mozilla Firefox\\firefox.exe|Name=Firefox (C:\\Program Files\\Mozilla Firefox)|", "registry_value_name": "{16EEDFF0-8258-4DDA-ADAA-88B2AFC2E471}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{214AED19-B7BB-4A10-8860-2E7C09DD5617}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{214AED19-B7BB-4A10-8860-2E7C09DD5617}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{36AFAECD-731F-4EAB-BF8E-26ABBDB9CF37}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{36AFAECD-731F-4EAB-BF8E-26ABBDB9CF37}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5BE8FC8E-BDDE-4FFE-A3FD-32223BC634E2}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\\Program Files\\Mozilla Firefox\\firefox.exe|Name=Firefox (C:\\Program Files\\Mozilla Firefox)|", "registry_value_name": "{5BE8FC8E-BDDE-4FFE-A3FD-32223BC634E2}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6AA62998-79C1-4573-AAB4-78A2D41C8E99}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6AA62998-79C1-4573-AAB4-78A2D41C8E99}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{90B42FC2-2534-4BA0-9A53-F71BF8AB4F92}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{90B42FC2-2534-4BA0-9A53-F71BF8AB4F92}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{94A00FA3-26DE-47D2-A2F2-C2D729EFD471}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{94A00FA3-26DE-47D2-A2F2-C2D729EFD471}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9AD33F43-BA68-46BA-B70D-4281E9ED227C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9AD33F43-BA68-46BA-B70D-4281E9ED227C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{ABF01AB1-8776-45B9-92C1-38DDD03E5D79}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{ABF01AB1-8776-45B9-92C1-38DDD03E5D79}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B07A1A03-FAD3-4152-8578-2E570A6EF22F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B07A1A03-FAD3-4152-8578-2E570A6EF22F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BA9AD02E-B8F1-4B33-BE00-C335F110B645}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BA9AD02E-B8F1-4B33-BE00-C335F110B645}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E10A9EBF-1EBD-4015-B448-24B4DAB8DBC1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E10A9EBF-1EBD-4015-B448-24B4DAB8DBC1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-8E46-6005-1500-00000000A301}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F0470520-4E88-4698-9859-6FDD736DFDFD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2311372046-1276363322-545193238-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F0470520-4E88-4698-9859-6FDD736DFDFD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1972FC9D-57F8-4D39-8F14-BAAE991A552C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{1972FC9D-57F8-4D39-8F14-BAAE991A552C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4D6B0593-D34B-4FF1-A5F0-74026A15C5C0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{4D6B0593-D34B-4FF1-A5F0-74026A15C5C0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{79D040FC-CE0C-45C3-A76A-576B766654AA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\\Users\\Administrator\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User|", "registry_value_name": "{79D040FC-CE0C-45C3-A76A-576B766654AA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{ACF2F4CB-6A7F-4961-8443-0B58C6A5FCCC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=6004|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\outlook.exe|Name=Microsoft Office Outlook|", "registry_value_name": "{ACF2F4CB-6A7F-4961-8443-0B58C6A5FCCC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CBE23C67-10FF-4F05-91D5-766B9083AB49}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{CBE23C67-10FF-4F05-91D5-766B9083AB49}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-6DD9-60FA-1600-00000000E601}", "process_id": "1332", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E0772983-0BAB-4694-9C9E-E489CDEA9409}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{E0772983-0BAB-4694-9C9E-E489CDEA9409}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0644D473-0552-4D4E-817C-BB1C9FE6C008}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{0644D473-0552-4D4E-817C-BB1C9FE6C008}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1B64D42D-EC1B-41CB-9FE6-0FBA2AF4EB73}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1B64D42D-EC1B-41CB-9FE6-0FBA2AF4EB73}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3F486356-B4D7-4838-9C1E-41D29996F939}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3F486356-B4D7-4838-9C1E-41D29996F939}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4386E2DB-04FF-4543-92E9-BC7D5F52AB1F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4386E2DB-04FF-4543-92E9-BC7D5F52AB1F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5A20D9FA-C9C4-4FDA-ADA2-B7ADCA280718}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{5A20D9FA-C9C4-4FDA-ADA2-B7ADCA280718}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{67DB92B6-2197-477B-8C24-6CF7815C666F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{67DB92B6-2197-477B-8C24-6CF7815C666F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{85DBBBE7-E1FB-4221-8CEC-FFAA541F01EE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{85DBBBE7-E1FB-4221-8CEC-FFAA541F01EE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B370DD5B-81F0-4A12-924F-B24B02B9FE9A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B370DD5B-81F0-4A12-924F-B24B02B9FE9A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B3F8063E-0115-4AAC-A0B5-D89DCA496C93}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B3F8063E-0115-4AAC-A0B5-D89DCA496C93}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BF209785-C7E6-487A-A292-9197E8A00E30}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BF209785-C7E6-487A-A292-9197E8A00E30}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1500-00000000CF01}", "process_id": "1252", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DC2F4147-D82D-4754-8A63-17AAE07FBE01}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2118462944-3700899439-1824161655-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DC2F4147-D82D-4754-8A63-17AAE07FBE01}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{04228964-099E-46E4-8C95-72AD8E3E60A9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{04228964-099E-46E4-8C95-72AD8E3E60A9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0D460CA8-CD05-4E0E-BAD7-888052F1DCFE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{0D460CA8-CD05-4E0E-BAD7-888052F1DCFE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{133B1D0F-B854-46DD-BD5C-A48FCD7B8CAA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{133B1D0F-B854-46DD-BD5C-A48FCD7B8CAA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1F093F80-EC11-497C-8B74-FD25567904C9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1F093F80-EC11-497C-8B74-FD25567904C9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3B0D8F4F-7BA3-4C87-8E34-D0ECF14436DF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3B0D8F4F-7BA3-4C87-8E34-D0ECF14436DF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{67C2BA89-E802-4BEE-A15A-2367513E3FD3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{67C2BA89-E802-4BEE-A15A-2367513E3FD3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7E5BB6AA-680D-4334-85ED-63D02B8D7C4F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7E5BB6AA-680D-4334-85ED-63D02B8D7C4F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{93A89816-5DA2-447D-990C-3503018C315C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{93A89816-5DA2-447D-990C-3503018C315C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9CE157FC-94E2-45DC-8511-E64E9F55A627}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9CE157FC-94E2-45DC-8511-E64E9F55A627}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B038725F-4FA0-45AA-A203-A9EC066B3A80}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B038725F-4FA0-45AA-A203-A9EC066B3A80}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-633.attackrange.local", "process_guid": "{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}", "process_id": "1588", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F45F0D3D-89FD-4653-8B66-2BF322B9BCD9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3911646319-387810913-1839908539-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F45F0D3D-89FD-4653-8B66-2BF322B9BCD9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2ACE7708-BA41-4E05-9FF7-349D5E61578D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{2ACE7708-BA41-4E05-9FF7-349D5E61578D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3ACE882F-9150-4187-94FE-25A24C868182}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{3ACE882F-9150-4187-94FE-25A24C868182}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6969DC6E-008D-4F4D-B60F-7163A88D1B8F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6969DC6E-008D-4F4D-B60F-7163A88D1B8F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6A1476DE-7B90-47A1-9EE0-56CE30D7FA52}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6A1476DE-7B90-47A1-9EE0-56CE30D7FA52}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{894D97BA-C865-4FAE-BC20-62325C694D70}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{894D97BA-C865-4FAE-BC20-62325C694D70}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8EE13A1E-FA15-4392-8777-4BC3C6E7F4FB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8EE13A1E-FA15-4392-8777-4BC3C6E7F4FB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9AA14EDB-7FE9-4325-A117-297CB952FF68}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9AA14EDB-7FE9-4325-A117-297CB952FF68}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C962F182-3508-48AA-AC69-99CCD8DC4638}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C962F182-3508-48AA-AC69-99CCD8DC4638}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DCFD8987-289E-4BA9-9D8A-6172E770CF1A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DCFD8987-289E-4BA9-9D8A-6172E770CF1A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EFCADC90-B126-437A-B1AB-5C5654D3472E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{EFCADC90-B126-437A-B1AB-5C5654D3472E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-AF8C-6050-1500-00000000AE01}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F24AC7DC-7004-46F6-AAD3-38B2DB1D3161}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-750532476-3956299320-1675380311-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F24AC7DC-7004-46F6-AAD3-38B2DB1D3161}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1BC9ACA1-7786-4DC1-946B-52D04B91F73D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1BC9ACA1-7786-4DC1-946B-52D04B91F73D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{33DDB867-C075-4C51-8C3F-00F7F3C4EC99}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{33DDB867-C075-4C51-8C3F-00F7F3C4EC99}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{46E95188-FB38-44A4-AF06-B96362CB989B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{46E95188-FB38-44A4-AF06-B96362CB989B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{552CD5EC-AB04-4112-AB13-9C54023741CD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{552CD5EC-AB04-4112-AB13-9C54023741CD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{87B2B80E-F3F5-4D3C-9461-27F638D5542A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{87B2B80E-F3F5-4D3C-9461-27F638D5542A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8950A88B-8B34-49C3-8E1C-186D75F0753E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8950A88B-8B34-49C3-8E1C-186D75F0753E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8CF920AD-6A1A-4F9C-BD8E-51D7AD53955C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{8CF920AD-6A1A-4F9C-BD8E-51D7AD53955C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9A18D857-7B6A-469D-B408-09136923D99C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9A18D857-7B6A-469D-B408-09136923D99C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CDC084F0-C1BA-49D9-97CB-D19E2E7006B1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CDC084F0-C1BA-49D9-97CB-D19E2E7006B1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DA14A191-A335-4E1E-9ECD-2BB51E8EC8CE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DA14A191-A335-4E1E-9ECD-2BB51E8EC8CE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-692.attackrange.local", "process_guid": "{B364217D-61FE-5FCE-0000-00107DF00000}", "process_id": "1564", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E01895E0-CF75-4669-AE82-8296DDA19ADE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2034510999-1345200767-2897500970-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E01895E0-CF75-4669-AE82-8296DDA19ADE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:56:46", "lastTime": "2025-12-10T02:56:46"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{12442027-5213-44A4-9763-6227ADA94635}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{12442027-5213-44A4-9763-6227ADA94635}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1A5AFE19-2BEF-415C-AC3E-DF3CC1C168B7}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1A5AFE19-2BEF-415C-AC3E-DF3CC1C168B7}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1C540A0A-A087-45CB-8FE2-428FEC838408}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1C540A0A-A087-45CB-8FE2-428FEC838408}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{72C89B15-3C3D-4FE4-87DC-FEB1BB65F00F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{72C89B15-3C3D-4FE4-87DC-FEB1BB65F00F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{741C7141-CAD5-4148-9893-F44D18CD525E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{741C7141-CAD5-4148-9893-F44D18CD525E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B84886F4-76FE-4BA6-B5C9-8CEE834D7145}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B84886F4-76FE-4BA6-B5C9-8CEE834D7145}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C25BA748-C7F8-44DC-892F-F8B7D839CE80}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C25BA748-C7F8-44DC-892F-F8B7D839CE80}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D4D3A619-0C22-4381-AEA2-1E18464450B5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D4D3A619-0C22-4381-AEA2-1E18464450B5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E1EE581B-6A0D-44F7-807B-FE05612C09AD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E1EE581B-6A0D-44F7-807B-FE05612C09AD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E3908055-8621-4F8D-99A7-BE31FD1D8BAE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E3908055-8621-4F8D-99A7-BE31FD1D8BAE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F13-604B-1600-00000000AD01}", "process_id": "1580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E9DD6FE4-9CF8-47FA-A2BF-3598BEAF916E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-895169564-1244314668-1918322960-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E9DD6FE4-9CF8-47FA-A2BF-3598BEAF916E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-DCOM-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=135|App=%%systemroot%%\\system32\\svchost.exe|Svc=RPCSS|Name=@fssmres.dll,-103|Desc=@fssmres.dll,-104|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-DCOM-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-SMB-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@fssmres.dll,-105|Desc=@fssmres.dll,-106|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-SMB-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-Winmgmt-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%%systemroot%%\\system32\\svchost.exe|Svc=Winmgmt|Name=@fssmres.dll,-101|Desc=@fssmres.dll,-102|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-Winmgmt-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{48B3121A-5979-4B04-9277-3454B18069B1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{48B3121A-5979-4B04-9277-3454B18069B1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{565E5F87-6BE0-44C9-AA16-6A7AE1C75479}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{565E5F87-6BE0-44C9-AA16-6A7AE1C75479}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5A046511-B376-45AD-82E4-9B2500B02907}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{5A046511-B376-45AD-82E4-9B2500B02907}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8360317B-2506-4847-AFB9-2AEEC446D8A1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8360317B-2506-4847-AFB9-2AEEC446D8A1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{88F0E648-0D8B-4D28-ACEF-106241538CCD}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{88F0E648-0D8B-4D28-ACEF-106241538CCD}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B25D85CD-8C95-4697-9BD9-63F9A00BCB61}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B25D85CD-8C95-4697-9BD9-63F9A00BCB61}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C17459FF-38A9-46D3-9880-B37E057AA172}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C17459FF-38A9-46D3-9880-B37E057AA172}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DCFF21D8-D45C-4364-AB82-D9ABEBD7E6D4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DCFF21D8-D45C-4364-AB82-D9ABEBD7E6D4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E169EC1D-A36E-4777-BD53-FC7A0911E12F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E169EC1D-A36E-4777-BD53-FC7A0911E12F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FA69B51F-02DF-4472-9959-4AF528F855B1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FA69B51F-02DF-4472-9959-4AF528F855B1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DA8E-6113-1500-00000000E501}", "process_id": "1236", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FBD64222-A62A-4781-BE6D-F4A8A0F5D784}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4098349297-3042404783-2477287307-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{FBD64222-A62A-4781-BE6D-F4A8A0F5D784}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1500-00000000AF01}", "process_id": "1232", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{668AF173-27CC-49F4-9DCE-7BBFDDEC181B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{668AF173-27CC-49F4-9DCE-7BBFDDEC181B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1500-00000000AF01}", "process_id": "1232", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8E895A83-D5F5-45DC-81EE-799FB6CFCEFF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{8E895A83-D5F5-45DC-81EE-799FB6CFCEFF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1500-00000000AF01}", "process_id": "1232", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BC26E150-85B8-4645-8CBD-A88374EB8AB6}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{BC26E150-85B8-4645-8CBD-A88374EB8AB6}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1500-00000000AF01}", "process_id": "1232", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E87BF0E3-AF8B-4130-A5F9-21AD6A8D0FD5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=6004|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\outlook.exe|Name=Microsoft Office Outlook|", "registry_value_name": "{E87BF0E3-AF8B-4130-A5F9-21AD6A8D0FD5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1500-00000000AF01}", "process_id": "1232", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EEDE92A1-A0F3-4F22-98EA-7B8A550D361C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{EEDE92A1-A0F3-4F22-98EA-7B8A550D361C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{29E20594-C289-41D5-84ED-FE195B8F34BE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{29E20594-C289-41D5-84ED-FE195B8F34BE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2D8803FC-C6C4-4857-9138-008066C3ACC8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{2D8803FC-C6C4-4857-9138-008066C3ACC8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{40D70A60-B2F6-48CE-99F6-2D7C7698A637}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{40D70A60-B2F6-48CE-99F6-2D7C7698A637}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9FA2AD00-9DCB-419C-A829-3001D4EAD2D6}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9FA2AD00-9DCB-419C-A829-3001D4EAD2D6}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A1AE94CE-6A7D-4595-AE10-42357FE58954}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A1AE94CE-6A7D-4595-AE10-42357FE58954}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CB04DF19-985E-4DCF-A70A-8EB4AF96DFBC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CB04DF19-985E-4DCF-A70A-8EB4AF96DFBC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CB9CE176-98CD-4440-81D8-C4D0F615C238}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CB9CE176-98CD-4440-81D8-C4D0F615C238}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CF587D09-6019-4820-AD86-AA38CA29C8DE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CF587D09-6019-4820-AD86-AA38CA29C8DE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E18ACCA9-26B0-4489-9750-CBAF9606BE2F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E18ACCA9-26B0-4489-9750-CBAF9606BE2F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EDFEC311-6084-4835-9B9A-FCB5F059268C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{EDFEC311-6084-4835-9B9A-FCB5F059268C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-646C-6064-1600-00000000AE01}", "process_id": "1584", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F6A61CBC-5D69-4F0A-96E8-0897A7A528FB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-4055678433-3894535204-3898404691-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F6A61CBC-5D69-4F0A-96E8-0897A7A528FB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{07AD19BB-0247-4DF2-A6A2-1F20E4C0A413}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{07AD19BB-0247-4DF2-A6A2-1F20E4C0A413}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0FFAB19C-26A3-46F0-871F-2A91F7294CEB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{0FFAB19C-26A3-46F0-871F-2A91F7294CEB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{110957DD-4AEC-4949-B31C-8DE97833A18F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{110957DD-4AEC-4949-B31C-8DE97833A18F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4AA17E41-5420-40D1-8503-9D53F5104D0E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4AA17E41-5420-40D1-8503-9D53F5104D0E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{61653A51-6C17-45F6-90AD-CF01CDD9BD9A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{61653A51-6C17-45F6-90AD-CF01CDD9BD9A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6E5B3F1C-D986-4F1F-94FA-5AABFB4E62BB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6E5B3F1C-D986-4F1F-94FA-5AABFB4E62BB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{77AB60CC-96D8-468D-B8EC-2C83A379075F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{77AB60CC-96D8-468D-B8EC-2C83A379075F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A0294761-BDC8-4518-818E-B9AFB7AF055D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A0294761-BDC8-4518-818E-B9AFB7AF055D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D6E02128-D960-40F5-B55E-A54998BDB10D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D6E02128-D960-40F5-B55E-A54998BDB10D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E973BD09-5344-45BE-839E-9D0A278E2049}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{E973BD09-5344-45BE-839E-9D0A278E2049}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-919.attackrange.local", "process_guid": "{172D79BE-E261-6001-1500-00000000A301}", "process_id": "1500", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FEBBD90F-EB00-4890-B147-9C7B80FF8FC0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2145421733-4221739037-571813843-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FEBBD90F-EB00-4890-B147-9C7B80FF8FC0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-DCOM-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=135|App=%%systemroot%%\\system32\\svchost.exe|Svc=RPCSS|Name=@fssmres.dll,-103|Desc=@fssmres.dll,-104|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-DCOM-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-SMB-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@fssmres.dll,-105|Desc=@fssmres.dll,-106|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-SMB-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-Winmgmt-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%%systemroot%%\\system32\\svchost.exe|Svc=Winmgmt|Name=@fssmres.dll,-101|Desc=@fssmres.dll,-102|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-Winmgmt-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{221ED3B5-0ED4-448C-A9E5-B4DBFC5AC306}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{221ED3B5-0ED4-448C-A9E5-B4DBFC5AC306}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4BE3217C-464A-47C0-9F3C-B5A1F5011FF8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4BE3217C-464A-47C0-9F3C-B5A1F5011FF8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4E32C45B-9A3A-47A2-9449-1AF5F1D4F525}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4E32C45B-9A3A-47A2-9449-1AF5F1D4F525}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7E261A98-E9C8-4C17-8A4E-751EF2A5F2C2}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7E261A98-E9C8-4C17-8A4E-751EF2A5F2C2}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7FAEA5E9-0964-4F23-9B05-E661B1365123}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7FAEA5E9-0964-4F23-9B05-E661B1365123}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{81BFE232-E24C-44C9-BB3D-796156B5440C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{81BFE232-E24C-44C9-BB3D-796156B5440C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{82BDFB5A-AF1B-43EE-A709-EE70D3902230}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{82BDFB5A-AF1B-43EE-A709-EE70D3902230}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{91D52692-6358-4AE9-8C33-DEAA0FE6127D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{91D52692-6358-4AE9-8C33-DEAA0FE6127D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A57FFCBF-DAB5-48FE-8175-F630B04ABD44}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{A57FFCBF-DAB5-48FE-8175-F630B04ABD44}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{CEB37023-8CF8-4A02-83A5-E8C59C9F693A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{CEB37023-8CF8-4A02-83A5-E8C59C9F693A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-4656-609D-1300-00000000BA01}", "process_id": "1076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D4399835-06EC-4008-8504-B0D4330EE6B8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3487033156-4149574945-3951608832-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D4399835-06EC-4008-8504-B0D4330EE6B8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0F70AB84-2452-44B5-A35A-09B84F9AA39E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{0F70AB84-2452-44B5-A35A-09B84F9AA39E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{12AA197F-7F50-4F46-8DD2-E6AF8D461845}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{12AA197F-7F50-4F46-8DD2-E6AF8D461845}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1341A278-6675-40A8-AAE0-C291F88938A4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1341A278-6675-40A8-AAE0-C291F88938A4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{61B1426E-4531-4BB6-B585-BD0A22A3243A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{61B1426E-4531-4BB6-B585-BD0A22A3243A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6C60AB82-7F3C-4C42-9B43-E519B84B81BC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6C60AB82-7F3C-4C42-9B43-E519B84B81BC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7373A600-6ED8-4E52-B972-43FCD8C9564C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7373A600-6ED8-4E52-B972-43FCD8C9564C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7B7968F9-A0A4-401C-B0C8-B2D6DFFD136B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7B7968F9-A0A4-401C-B0C8-B2D6DFFD136B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{88407D7A-2394-49C1-806B-746AAF326586}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{88407D7A-2394-49C1-806B-746AAF326586}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8FCAACEB-30C7-4BB3-8FBF-4C1DDBF0D22E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8FCAACEB-30C7-4BB3-8FBF-4C1DDBF0D22E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C85B9E95-8878-43F4-BA0E-D07431C64E28}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C85B9E95-8878-43F4-BA0E-D07431C64E28}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E28-635A-1600-000000008A02}", "process_id": "1336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F20F4229-2C70-4A57-949E-0F318F0194B0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3654133429-2950718773-2133640725-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F20F4229-2C70-4A57-949E-0F318F0194B0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{052F00F8-9916-4CF7-9D72-6A116799927F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\windows\\rutserv.exe|Name=System Service|", "registry_value_name": "{052F00F8-9916-4CF7-9D72-6A116799927F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:06", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0A3DF655-798C-4F61-890F-A283BEC824DC}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\WindowsTask\\AMD.exe|Name=Security Service|", "registry_value_name": "{0A3DF655-798C-4F61-890F-A283BEC824DC}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{0ABBA2DE-FA39-4D11-9BF0-65BAD308380A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Block|Active=TRUE|Dir=In|Protocol=17|LPort=445|Name=Port Blocking|", "registry_value_name": "{0ABBA2DE-FA39-4D11-9BF0-65BAD308380A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:04", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{227690FC-E00F-41D7-B3FE-47305502F317}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Block|Active=TRUE|Dir=In|Protocol=6|LPort=139|Name=Port Block|", "registry_value_name": "{227690FC-E00F-41D7-B3FE-47305502F317}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{2DD03F2E-6996-4DE4-A7AC-1AEBBC832E1A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|LPort=9393|Name=AllowPort4|", "registry_value_name": "{2DD03F2E-6996-4DE4-A7AC-1AEBBC832E1A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:08", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{36D23474-F2B6-4DB2-82E7-D00DA6DCE9E1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\rundll\\Eternalblue-2.2.0.exe|Name=Small Service|", "registry_value_name": "{36D23474-F2B6-4DB2-82E7-D00DA6DCE9E1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:07", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4B059347-DB25-4E41-B38A-D0DAD1F53EED}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\WindowsTask\\MicrosoftHost.exe|Name=Recovery Service|", "registry_value_name": "{4B059347-DB25-4E41-B38A-D0DAD1F53EED}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{539A5442-DDBD-4C81-99F7-240061BDB606}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\rundll\\system.exe|Name=Shell Service|", "registry_value_name": "{539A5442-DDBD-4C81-99F7-240061BDB606}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:06", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5C57442E-B563-4999-A55D-380B3E77A92C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Block|Active=TRUE|Dir=In|Protocol=17|LPort=139|Name=Port Block|", "registry_value_name": "{5C57442E-B563-4999-A55D-380B3E77A92C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{617E4B42-BFBC-46C3-8230-6AF9E1BB1FD0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\\ProgramData\\WindowsTask\\AppModule.exe|Name=Shadow Services|", "registry_value_name": "{617E4B42-BFBC-46C3-8230-6AF9E1BB1FD0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6D918A11-787F-49F4-A62D-DCBACD0AC7CF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\Windows\\rutserv.exe|Name=RMS - Host|Desc=Remote access software.|", "registry_value_name": "{6D918A11-787F-49F4-A62D-DCBACD0AC7CF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:55", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{702EFB86-3671-41D4-BF6C-6D46B86CF7E5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\\ProgramData\\WindowsTask\\AMD.exe|Name=Security Services|", "registry_value_name": "{702EFB86-3671-41D4-BF6C-6D46B86CF7E5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:06", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7283B1D8-B761-4F38-90A8-A3921AA3E183}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|LPort=9494|Name=AllowPort3|", "registry_value_name": "{7283B1D8-B761-4F38-90A8-A3921AA3E183}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:08", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{87B8FF05-6723-4F50-BFF0-AD9A21EC3170}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|Name=allow RDP|", "registry_value_name": "{87B8FF05-6723-4F50-BFF0-AD9A21EC3170}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{89467592-7953-4458-B3AE-AB020BB7C476}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\\ProgramData\\WindowsTask\\MicrosoftHost.exe|Name=Recovery Services|", "registry_value_name": "{89467592-7953-4458-B3AE-AB020BB7C476}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9278759E-5A14-4075-958C-FBB44ADAD3CA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Block|Active=TRUE|Dir=In|Protocol=6|LPort=445|Name=Port Blocking|", "registry_value_name": "{9278759E-5A14-4075-958C-FBB44ADAD3CA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:04", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9C1B0E65-943B-4699-B0FA-F16BACAB99DF}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\rundll\\Doublepulsar-1.3.1.exe|Name=Micro Service|", "registry_value_name": "{9C1B0E65-943B-4699-B0FA-F16BACAB99DF}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:07", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9E8727EC-CE55-45C8-A289-44886F4BAA8F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\RealtekHD\\taskhostw.exe|Name=Survile Service|", "registry_value_name": "{9E8727EC-CE55-45C8-A289-44886F4BAA8F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:06", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B3B7EF31-50A6-4FB9-A5D2-B4564C8D9769}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\rundll\\rundll.exe|Name=Script Service|", "registry_value_name": "{B3B7EF31-50A6-4FB9-A5D2-B4564C8D9769}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:06", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BFBD1D86-39D5-45D0-9FB1-6B7BE38A4A94}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=9393|Name=AllowPort2|", "registry_value_name": "{BFBD1D86-39D5-45D0-9FB1-6B7BE38A4A94}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:07", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EA5FEAEA-2DE3-4FE8-BB2C-76E989CED18F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\ProgramData\\WindowsTask\\AppModule.exe|Name=Shadow Service|", "registry_value_name": "{EA5FEAEA-2DE3-4FE8-BB2C-76E989CED18F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:05", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EB6D2000-5101-413F-BBEF-D71D1A495D57}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=9494|Name=AllowPort1|", "registry_value_name": "{EB6D2000-5101-413F-BBEF-D71D1A495D57}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:07", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E26D-62A1-1600-000000006102}", "process_id": "1320", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F20E0526-ED22-48B3-8695-18A5891B8EC7}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|Name=Remote Desktop|", "registry_value_name": "{F20E0526-ED22-48B3-8695-18A5891B8EC7}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:22", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-DCOM-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=135|App=%%systemroot%%\\system32\\svchost.exe|Svc=RPCSS|Name=@fssmres.dll,-103|Desc=@fssmres.dll,-104|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-DCOM-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:58", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-SMB-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@fssmres.dll,-105|Desc=@fssmres.dll,-106|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-SMB-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:58", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-Winmgmt-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%%systemroot%%\\system32\\svchost.exe|Svc=Winmgmt|Name=@fssmres.dll,-101|Desc=@fssmres.dll,-102|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-Winmgmt-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:58", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{41F510DB-FCF5-46B0-BA4F-3739A88001EA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{41F510DB-FCF5-46B0-BA4F-3739A88001EA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:55", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{60F64160-F82A-4F7A-86E3-19D443FCE7F8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{60F64160-F82A-4F7A-86E3-19D443FCE7F8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:53", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{66ECFE4E-F5B5-4E8B-9207-1BD292A4D55F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{66ECFE4E-F5B5-4E8B-9207-1BD292A4D55F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:55", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9352F9B9-9780-4CC2-A324-1B99619232E8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9352F9B9-9780-4CC2-A324-1B99619232E8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:56", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{953BB864-8EAF-4720-BFA9-E88A34C59948}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{953BB864-8EAF-4720-BFA9-E88A34C59948}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:55", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{AA674F2F-3F47-4658-8610-9F0218CEC4CB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{AA674F2F-3F47-4658-8610-9F0218CEC4CB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:53", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DB9F0467-F941-4BF3-B1EB-F59D5FAF6910}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DB9F0467-F941-4BF3-B1EB-F59D5FAF6910}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:54", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F07CD0FE-EF25-4759-A79F-25A23A00F154}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F07CD0FE-EF25-4759-A79F-25A23A00F154}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:53", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F73530ED-6DA3-4F7D-8F38-5595E431AEDB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F73530ED-6DA3-4F7D-8F38-5595E431AEDB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:53", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F7CCF211-18C1-4B36-A961-92B66D24CEE5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F7CCF211-18C1-4B36-A961-92B66D24CEE5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:55", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3233-6238-1500-000000004102}", "process_id": "1224", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FBC288BD-5521-4F92-AC9F-B53DE201A2A3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2182867758-2228517806-1658428495-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FBC288BD-5521-4F92-AC9F-B53DE201A2A3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:12:55", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "process_guid": "{328C47E9-32BE-621F-1500-000000003602}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C938D796-30EC-4FA3-8CCA-27D9AC69FB46}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\\Program Files\\IDA Freeware 7.6\\ida64.exe|Name=Interactive Disassembler (64-bit)|", "registry_value_name": "{C938D796-30EC-4FA3-8CCA-27D9AC69FB46}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:20:22", "lastTime": "2025-12-09T22:32:31"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "process_guid": "{328C47E9-32BE-621F-1500-000000003602}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E52026B6-6DAE-4512-9205-0550734842C0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\Program Files\\IDA Freeware 7.6\\ida64.exe|Name=IDA Freeware|", "registry_value_name": "{E52026B6-6DAE-4512-9205-0550734842C0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:20:05", "lastTime": "2025-12-09T22:32:31"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "process_guid": "{328C47E9-32BE-621F-1500-000000003602}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F44FDBE5-5257-4CDF-8C9A-0A4ED5C1973E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\\Program Files\\IDA Freeware 7.6\\ida64.exe|Name=Interactive Disassembler (64-bit)|", "registry_value_name": "{F44FDBE5-5257-4CDF-8C9A-0A4ED5C1973E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:20:22", "lastTime": "2025-12-09T22:32:31"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP4-ERQ-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP4-ERQ-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP4-ERQ-Out", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|Name=@FirewallAPI.dll,-28544|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP4-ERQ-Out", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP6-ERQ-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP6-ERQ-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-ICMP6-ERQ-Out", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|Name=@FirewallAPI.dll,-28546|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-ICMP6-ERQ-Out", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-LLMNR-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28548|Desc=@FirewallAPI.dll,-28549|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-LLMNR-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-LLMNR-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28550|Desc=@FirewallAPI.dll,-28551|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-LLMNR-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Datagram-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=138|App=System|Name=@FirewallAPI.dll,-28527|Desc=@FirewallAPI.dll,-28530|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Datagram-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Datagram-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=138|App=System|Name=@FirewallAPI.dll,-28531|Desc=@FirewallAPI.dll,-28534|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Datagram-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Name-In-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=137|App=System|Name=@FirewallAPI.dll,-28519|Desc=@FirewallAPI.dll,-28522|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Name-In-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Name-Out-UDP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=137|App=System|Name=@FirewallAPI.dll,-28523|Desc=@FirewallAPI.dll,-28526|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Name-Out-UDP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Session-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=139|App=System|Name=@FirewallAPI.dll,-28503|Desc=@FirewallAPI.dll,-28506|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Session-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-NB_Session-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=139|App=System|Name=@FirewallAPI.dll,-28507|Desc=@FirewallAPI.dll,-28510|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-NB_Session-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-RPCSS-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC-EPMap|Svc=Rpcss|Name=@FirewallAPI.dll,-28539|Desc=@FirewallAPI.dll,-28542|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-RPCSS-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SMB-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=445|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SMB-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SMB-Out-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=445|App=System|Name=@FirewallAPI.dll,-28515|Desc=@FirewallAPI.dll,-28518|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SMB-Out-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FPS-SpoolSvc-In-TCP", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|App=%%SystemRoot%%\\system32\\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "FPS-SpoolSvc-In-TCP", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-DCOM-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=135|App=%%systemroot%%\\system32\\svchost.exe|Svc=RPCSS|Name=@fssmres.dll,-103|Desc=@fssmres.dll,-104|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-DCOM-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-SMB-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@fssmres.dll,-105|Desc=@fssmres.dll,-106|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-SMB-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\FileServer-ServerManager-Winmgmt-TCP-In", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%%systemroot%%\\system32\\svchost.exe|Svc=Winmgmt|Name=@fssmres.dll,-101|Desc=@fssmres.dll,-102|EmbedCtxt=@fssmres.dll,-100|", "registry_value_name": "FileServer-ServerManager-Winmgmt-TCP-In", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{03565169-3FB7-4337-BBD0-748A23DC5715}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Domain|RPort=138|App=System|Name=@FirewallAPI.dll,-28531|Desc=@FirewallAPI.dll,-28534|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{03565169-3FB7-4337-BBD0-748A23DC5715}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{03565169-3FB7-4337-BBD0-748A23DC5715}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=138|App=System|Name=@FirewallAPI.dll,-28531|Desc=@FirewallAPI.dll,-28534|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{03565169-3FB7-4337-BBD0-748A23DC5715}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1163C642-A669-450C-B264-5C7A0288C6B9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Domain|RPort=139|App=System|Name=@FirewallAPI.dll,-28507|Desc=@FirewallAPI.dll,-28510|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{1163C642-A669-450C-B264-5C7A0288C6B9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1163C642-A669-450C-B264-5C7A0288C6B9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=139|App=System|Name=@FirewallAPI.dll,-28507|Desc=@FirewallAPI.dll,-28510|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{1163C642-A669-450C-B264-5C7A0288C6B9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1EBD19BF-9F09-4C00-B2BB-7B50E8B03995}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Domain|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28550|Desc=@FirewallAPI.dll,-28551|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{1EBD19BF-9F09-4C00-B2BB-7B50E8B03995}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1EBD19BF-9F09-4C00-B2BB-7B50E8B03995}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28550|Desc=@FirewallAPI.dll,-28551|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{1EBD19BF-9F09-4C00-B2BB-7B50E8B03995}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{25445925-DFAC-4BD2-B770-895D47ED38C4}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{25445925-DFAC-4BD2-B770-895D47ED38C4}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{47AE2065-9E63-44AA-8511-FA54E8EF6F4F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=1|Profile=Domain|ICMP4=8:*|Name=@FirewallAPI.dll,-28544|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{47AE2065-9E63-44AA-8511-FA54E8EF6F4F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{47AE2065-9E63-44AA-8511-FA54E8EF6F4F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Domain|ICMP4=8:*|Name=@FirewallAPI.dll,-28544|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{47AE2065-9E63-44AA-8511-FA54E8EF6F4F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{4A4BE6D2-FA00-4183-8EC1-6044DDA12224}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{4A4BE6D2-FA00-4183-8EC1-6044DDA12224}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{503E0CD6-985D-4A1D-A387-EA634BA5BA6C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{503E0CD6-985D-4A1D-A387-EA634BA5BA6C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5984E8DA-BD3A-475A-876E-F40B8D61B60E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|LPort=137|App=System|Name=@FirewallAPI.dll,-28519|Desc=@FirewallAPI.dll,-28522|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{5984E8DA-BD3A-475A-876E-F40B8D61B60E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5984E8DA-BD3A-475A-876E-F40B8D61B60E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=137|App=System|Name=@FirewallAPI.dll,-28519|Desc=@FirewallAPI.dll,-28522|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{5984E8DA-BD3A-475A-876E-F40B8D61B60E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5EDD92F9-2173-4EBA-8C89-A8BD524B6504}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{5EDD92F9-2173-4EBA-8C89-A8BD524B6504}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{5EDD92F9-2173-4EBA-8C89-A8BD524B6504}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|Name=@FirewallAPI.dll,-28511|Desc=@FirewallAPI.dll,-28514|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{5EDD92F9-2173-4EBA-8C89-A8BD524B6504}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{64569953-1EAC-43A0-B07A-BED31174A333}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|Name=@FirewallAPI.dll,-28515|Desc=@FirewallAPI.dll,-28518|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{64569953-1EAC-43A0-B07A-BED31174A333}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{64569953-1EAC-43A0-B07A-BED31174A333}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|Name=@FirewallAPI.dll,-28515|Desc=@FirewallAPI.dll,-28518|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{64569953-1EAC-43A0-B07A-BED31174A333}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{68885CD7-3798-4953-8F4C-1A3F7DD509C0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{68885CD7-3798-4953-8F4C-1A3F7DD509C0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6DF255D4-4FF3-4EA9-B8C4-08CEF7626470}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|LPort=138|App=System|Name=@FirewallAPI.dll,-28527|Desc=@FirewallAPI.dll,-28530|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{6DF255D4-4FF3-4EA9-B8C4-08CEF7626470}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6DF255D4-4FF3-4EA9-B8C4-08CEF7626470}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=138|App=System|Name=@FirewallAPI.dll,-28527|Desc=@FirewallAPI.dll,-28530|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{6DF255D4-4FF3-4EA9-B8C4-08CEF7626470}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7D743261-EC97-4592-A74E-3C9D66069653}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=1|Profile=Domain|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{7D743261-EC97-4592-A74E-3C9D66069653}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7D743261-EC97-4592-A74E-3C9D66069653}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Domain|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{7D743261-EC97-4592-A74E-3C9D66069653}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8700B4B6-A281-4D07-84B4-C14E15E392F0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28548|Desc=@FirewallAPI.dll,-28549|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{8700B4B6-A281-4D07-84B4-C14E15E392F0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8700B4B6-A281-4D07-84B4-C14E15E392F0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%%SystemRoot%%\\system32\\svchost.exe|Svc=dnscache|Name=@FirewallAPI.dll,-28548|Desc=@FirewallAPI.dll,-28549|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{8700B4B6-A281-4D07-84B4-C14E15E392F0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8A8BE0EE-8B41-4F42-8793-C4C811B68302}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Domain|RPort=137|App=System|Name=@FirewallAPI.dll,-28523|Desc=@FirewallAPI.dll,-28526|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{8A8BE0EE-8B41-4F42-8793-C4C811B68302}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8A8BE0EE-8B41-4F42-8793-C4C811B68302}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=137|App=System|Name=@FirewallAPI.dll,-28523|Desc=@FirewallAPI.dll,-28526|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{8A8BE0EE-8B41-4F42-8793-C4C811B68302}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{8C724A8A-870F-4686-8E40-E4DE978274A9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{8C724A8A-870F-4686-8E40-E4DE978274A9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{94F83870-A9AD-4670-9B3C-3F5B7E62A70D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=58|Profile=Domain|ICMP6=128:*|Name=@FirewallAPI.dll,-28546|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{94F83870-A9AD-4670-9B3C-3F5B7E62A70D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{94F83870-A9AD-4670-9B3C-3F5B7E62A70D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Domain|ICMP6=128:*|Name=@FirewallAPI.dll,-28546|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{94F83870-A9AD-4670-9B3C-3F5B7E62A70D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A6B56582-EC36-4B87-A30F-C8D483D9C04E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=139|App=System|Name=@FirewallAPI.dll,-28503|Desc=@FirewallAPI.dll,-28506|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{A6B56582-EC36-4B87-A30F-C8D483D9C04E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A6B56582-EC36-4B87-A30F-C8D483D9C04E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=139|App=System|Name=@FirewallAPI.dll,-28503|Desc=@FirewallAPI.dll,-28506|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{A6B56582-EC36-4B87-A30F-C8D483D9C04E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{AEF0D579-2CDE-45E7-87EB-369FAD3BE588}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|Svc=Rpcss|Name=@FirewallAPI.dll,-28539|Desc=@FirewallAPI.dll,-28542|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{AEF0D579-2CDE-45E7-87EB-369FAD3BE588}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{AEF0D579-2CDE-45E7-87EB-369FAD3BE588}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|Svc=Rpcss|Name=@FirewallAPI.dll,-28539|Desc=@FirewallAPI.dll,-28542|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{AEF0D579-2CDE-45E7-87EB-369FAD3BE588}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B4F9D2F0-D62F-476C-AD17-F442C82C776F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%%SystemRoot%%\\system32\\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{B4F9D2F0-D62F-476C-AD17-F442C82C776F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B4F9D2F0-D62F-476C-AD17-F442C82C776F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%%SystemRoot%%\\system32\\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{B4F9D2F0-D62F-476C-AD17-F442C82C776F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BB641FE3-A1AA-47EE-9B70-33C69BFDDE64}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{BB641FE3-A1AA-47EE-9B70-33C69BFDDE64}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C2E4CC6E-BB19-472A-A33A-C4D85C0FA7C1}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C2E4CC6E-BB19-472A-A33A-C4D85C0FA7C1}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D2FF8ACA-D2AB-483F-A126-7016E11A4DC2}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{D2FF8ACA-D2AB-483F-A126-7016E11A4DC2}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DEB3E461-50D4-44A0-BCFE-D9FB6F699F0B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DEB3E461-50D4-44A0-BCFE-D9FB6F699F0B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E5A0E221-7CF9-49CC-B5F5-F0FC6CCF8B91}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{E5A0E221-7CF9-49CC-B5F5-F0FC6CCF8B91}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E958FDE3-14F7-48F6-9C71-548BA7743FD5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=58|Profile=Domain|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{E958FDE3-14F7-48F6-9C71-548BA7743FD5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{E958FDE3-14F7-48F6-9C71-548BA7743FD5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Domain|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|", "registry_value_name": "{E958FDE3-14F7-48F6-9C71-548BA7743FD5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-246.attackrange.local", "process_guid": "{24818591-6226-60E8-1500-00000000D001}", "process_id": "1184", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F2CDA35E-8577-4F2F-8D12-37866EC3A02E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3849221864-3963433727-4239167226-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{F2CDA35E-8577-4F2F-8D12-37866EC3A02E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:36:28", "lastTime": "2025-12-10T03:36:28"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{09B4F2BC-CE01-4109-A1FB-9B60A5611944}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{09B4F2BC-CE01-4109-A1FB-9B60A5611944}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1E9B7CB3-A9E6-4EA7-BA2F-824E1F395C8D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1E9B7CB3-A9E6-4EA7-BA2F-824E1F395C8D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6456EFC2-465A-46D9-AE99-189C467994B3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6456EFC2-465A-46D9-AE99-189C467994B3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{71862BE7-0D59-42D5-B1DA-13A2AF9B6CAB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{71862BE7-0D59-42D5-B1DA-13A2AF9B6CAB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{788AA679-C2E3-44D1-B74C-4CCD0FFEC4D0}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{788AA679-C2E3-44D1-B74C-4CCD0FFEC4D0}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7AB67A3A-1630-411A-A3C3-57E9C5531461}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7AB67A3A-1630-411A-A3C3-57E9C5531461}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{879944C4-0551-4864-9511-86107587DB0D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{879944C4-0551-4864-9511-86107587DB0D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{97350C09-CFB6-4AA3-A5FF-1320386A4FB3}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{97350C09-CFB6-4AA3-A5FF-1320386A4FB3}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{9BFD0E85-AAED-48E5-828A-2CB3F952FD4B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{9BFD0E85-AAED-48E5-828A-2CB3F952FD4B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DD94B618-C0A2-4373-AE4D-BD8045860C7D}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{DD94B618-C0A2-4373-AE4D-BD8045860C7D}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1500-00000000BB01}", "process_id": "1176", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{EB30728D-75CD-48BC-BD69-93D08498F8D9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{EB30728D-75CD-48BC-BD69-93D08498F8D9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "modified", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-9B85-63D3-1300-00000000BD02}", "process_id": "836", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{228054D3-2386-45A0-B3AB-4C5015781977}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{228054D3-2386-45A0-B3AB-4C5015781977}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:05:54", "lastTime": "2025-12-10T05:05:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-9B85-63D3-1300-00000000BD02}", "process_id": "836", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B91084BE-C058-4084-BF6E-C83BE03D5FD9}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{B91084BE-C058-4084-BF6E-C83BE03D5FD9}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:05:54", "lastTime": "2025-12-10T05:05:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-9B85-63D3-1300-00000000BD02}", "process_id": "836", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C5008D4B-817C-4114-A116-D63DD268C354}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|LPort=6004|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\outlook.exe|Name=Microsoft Office Outlook|", "registry_value_name": "{C5008D4B-817C-4114-A116-D63DD268C354}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:05:54", "lastTime": "2025-12-10T05:05:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-9B85-63D3-1300-00000000BD02}", "process_id": "836", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{D6A6B03D-C5BA-413F-B17F-4F018E87E89F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{D6A6B03D-C5BA-413F-B17F-4F018E87E89F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:05:54", "lastTime": "2025-12-10T05:05:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-9B85-63D3-1300-00000000BD02}", "process_id": "836", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F3CAA39B-D0D9-404C-82AB-63AE7580D53B}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{F3CAA39B-D0D9-404C-82AB-63AE7580D53B}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:05:54", "lastTime": "2025-12-10T05:05:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{084D3F47-4BA2-4268-B212-519349689982}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{084D3F47-4BA2-4268-B212-519349689982}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{11C74FB6-F0F3-4B3E-B347-654A9F924046}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{11C74FB6-F0F3-4B3E-B347-654A9F924046}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{14C24A6A-3FD0-4483-92E1-D3C452C3E488}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{14C24A6A-3FD0-4483-92E1-D3C452C3E488}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1616D551-2504-47E0-9776-BCC484E74E41}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1616D551-2504-47E0-9776-BCC484E74E41}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3805009F-0BFA-414B-B33E-44472E988B86}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{3805009F-0BFA-414B-B33E-44472E988B86}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{397EC30C-D43B-4ECD-B269-DFE896E43434}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{397EC30C-D43B-4ECD-B269-DFE896E43434}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{3E9754E4-1089-488E-9C6F-46C383228167}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\Lync.exe|Name=Microsoft Lync|", "registry_value_name": "{3E9754E4-1089-488E-9C6F-46C383228167}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{65460DDA-C7E7-4A9E-A536-BD0CCA3F792A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{65460DDA-C7E7-4A9E-A536-BD0CCA3F792A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{6F684525-0D45-4DDA-8832-98C2D36101A5}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{6F684525-0D45-4DDA-8832-98C2D36101A5}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{852279AC-737C-4DD2-955F-4CCA475D3A2E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{852279AC-737C-4DD2-955F-4CCA475D3A2E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A3C95122-4F12-4DD7-8EAB-076A5619CE68}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{A3C95122-4F12-4DD7-8EAB-076A5619CE68}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A4E9092F-98BB-4051-B124-FE07C2EBC1BB}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A4E9092F-98BB-4051-B124-FE07C2EBC1BB}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{A69ED25D-368F-48AB-A058-3E243ABE01EA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{A69ED25D-368F-48AB-A058-3E243ABE01EA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B2F246D7-8FF6-43A2-B24A-75977C3EF17A}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{B2F246D7-8FF6-43A2-B24A-75977C3EF17A}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BDCFE685-36A1-4AAE-9228-5494997DD0DA}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|LPort=6004|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\outlook.exe|Name=Microsoft Office Outlook|", "registry_value_name": "{BDCFE685-36A1-4AAE-9228-5494997DD0DA}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-992A-63CF-1400-00000000B202}", "process_id": "1072", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{BE35EDE7-FBC4-4586-909C-B9BDD0762EF6}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\\Program Files\\Microsoft Office\\root\\Office16\\UcMapi.exe|Name=Microsoft Lync UcMapi|", "registry_value_name": "{BE35EDE7-FBC4-4586-909C-B9BDD0762EF6}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{085FF3D7-9602-4F20-B08D-1BE328B87431}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{085FF3D7-9602-4F20-B08D-1BE328B87431}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:50", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{1FE5A697-1E1B-479A-AA96-C57F264A2F0C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{1FE5A697-1E1B-479A-AA96-C57F264A2F0C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:52", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{47D5950B-CA7D-4060-A594-42845B9B2492}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{47D5950B-CA7D-4060-A594-42845B9B2492}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:49", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{593BA8A3-5DB7-4428-AD64-BE4CBC156F6C}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{593BA8A3-5DB7-4428-AD64-BE4CBC156F6C}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:52", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{71885467-CD7C-4DE3-9A3B-AE42EAB05A5E}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{71885467-CD7C-4DE3-9A3B-AE42EAB05A5E}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:49", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{7FEDDF78-ADF9-4D35-B456-519834F81B1F}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{7FEDDF78-ADF9-4D35-B456-519834F81B1F}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:49", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{80B48BBD-A10D-4DD3-9C11-8C1DF30D44AE}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{80B48BBD-A10D-4DD3-9C11-8C1DF30D44AE}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:49", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{994D156A-3B72-4654-8FD4-BCC869DA9309}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{994D156A-3B72-4654-8FD4-BCC869DA9309}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:51", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{C9655923-4D14-4982-AC6D-8A1DFB85DCE8}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{C9655923-4D14-4982-AC6D-8A1DFB85DCE8}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:52", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{DC658A99-B1FF-447B-AF53-B7EA2EAB1555}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|", "registry_value_name": "{DC658A99-B1FF-447B-AF53-B7EA2EAB1555}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:51", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-286E-623C-1300-000000004302}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{FB98640F-282C-4908-ADF3-DE173AD7A4F7}", "registry_key_name": "FirewallRules", "registry_value_data": "v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2214540325-3392803530-572759246-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ|", "registry_value_name": "{FB98640F-282C-4908-ADF3-DE173AD7A4F7}", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:08:52", "lastTime": "2025-12-09T22:44:16"}], "error": null} +{"file_name": "windows_modify_registry_utilize_progids.yml", "description": "The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= \"*\\\\ms-settings\\\\CurVer\\\\(Default)\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_utilize_progids_filter`", "results": [{"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-281a-66e0-431d-000000009402}", "process_id": "4636", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500_Classes\\ms-settings\\CurVer\\(Default)", "registry_key_name": "CurVer", "registry_value_data": ".pwn", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-286d-66e0-541d-000000009402}", "process_id": "3820", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500_Classes\\ms-settings\\CurVer\\(Default)", "registry_key_name": "CurVer", "registry_value_data": ".pwn", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4"}], "error": null} +{"file_name": "windows_modify_registry_on_smart_card_group_policy.yml", "description": "This analytic is developed to detect suspicious registry modifications targeting the \"scforceoption\" key. Altering this key enforces smart card login for all users, potentially disrupting normal access methods. Unauthorized changes to this setting could indicate an attempt to restrict access or force a specific authentication method, possibly signifying malicious intent to manipulate system security protocols.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\scforceoption*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_on_smart_card_group_policy_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-F502-000000000B03}", "process_id": "4472", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\scforceoption", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "scforceoption", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}], "error": null} +{"file_name": "suspicious_reg_exe_process.yml", "description": "The following analytic identifies instances of reg.exe being launched from a command prompt (cmd.exe) that was not initiated by the user, as indicated by a parent process other than explorer.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant because reg.exe is often used in registry manipulation, which can be indicative of malicious behavior such as persistence mechanisms or system configuration changes. If confirmed malicious, this could allow an attacker to modify critical system settings, potentially leading to privilege escalation or persistent access.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name != explorer.exe Processes.process_name =cmd.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id Processes.dest Processes.process_name | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup process_id| table process_id dest] | `suspicious_reg_exe_process_filter`", "results": [{"action": "allowed", "dest": "AttackBox-Win10", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "parent_process_exec": "powershell.exe", "parent_process_guid": "{51A89197-C74B-6552-9C02-000000001E00}", "parent_process_id": "6296", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"cmd.exe\" /c reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f & reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f & fodhelper.exe", "process_exec": "cmd.exe", "process_guid": "{51A89197-C781-6552-BF02-000000001E00}", "process_hash": "SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE", "process_id": "8064", "process_integrity_level": "medium", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "VICTIM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T05:06:24", "lastTime": "2025-12-10T06:33:40"}, {"action": "allowed", "dest": "AttackBox-Win10", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "parent_process_exec": "powershell.exe", "parent_process_guid": "{51A89197-C74B-6552-9C02-000000001E00}", "parent_process_id": "6296", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"cmd.exe\" /c reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f & cmd.exe /c eventvwr.msc", "process_exec": "cmd.exe", "process_guid": "{51A89197-C764-6552-A402-000000001E00}", "process_hash": "SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE", "process_id": "2856", "process_integrity_level": "medium", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "VICTIM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T05:06:24", "lastTime": "2025-12-10T06:33:40"}, {"action": "allowed", "dest": "ar-win", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\system32\\cmd.exe\" /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{C36AC009-F37D-65EE-4C01-000000005303}", "parent_process_id": "3728", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{C36AC009-F37D-65EE-4E01-000000005303}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2696", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:54:43", "lastTime": "2025-12-10T00:54:43"}, {"action": "allowed", "dest": "ar-win-2.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Program Files\\ansible\\sysmon\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08CB57FB-C22B-64AB-0901-00000000FA02}", "parent_process_id": "3604", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f", "process_exec": "cmd.exe", "process_guid": "{08CB57FB-C2FF-64AB-1F01-00000000FA02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1816", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T08:36:15", "lastTime": "2025-12-10T02:10:00"}, {"action": "allowed", "dest": "ar-win-2.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Program Files\\ansible\\sysmon\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08CB57FB-C22B-64AB-0901-00000000FA02}", "parent_process_id": "3604", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f", "process_exec": "cmd.exe", "process_guid": "{08CB57FB-CDE3-64AB-1602-00000000FA02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3184", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T09:22:43", "lastTime": "2023-07-10T09:22:43"}, {"action": "allowed", "dest": "ar-win-2.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Program Files\\ansible\\sysmon\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08CB57FB-C22B-64AB-0901-00000000FA02}", "parent_process_id": "3604", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "cmd /c reg add HKLM\\YSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f", "process_exec": "cmd.exe", "process_guid": "{08CB57FB-CDC0-64AB-0F02-00000000FA02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1004", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T09:22:08", "lastTime": "2023-07-10T09:22:08"}, {"action": "allowed", "dest": "ar-win-2.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Program Files\\ansible\\sysmon\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08CB57FB-C22B-64AB-0901-00000000FA02}", "parent_process_id": "3604", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "cmd /c reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f", "process_exec": "cmd.exe", "process_guid": "{08CB57FB-CD9F-64AB-0B02-00000000FA02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4028", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T09:21:35", "lastTime": "2023-07-10T09:21:35"}, {"action": "allowed", "dest": "ar-win-2.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Program Files\\ansible\\sysmon\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08CB57FB-C22B-64AB-0901-00000000FA02}", "parent_process_id": "3604", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "cmd /c reg add HKLM\\\\YSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f", "process_exec": "cmd.exe", "process_guid": "{08CB57FB-CDB3-64AB-0D02-00000000FA02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4932", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T09:21:55", "lastTime": "2023-07-10T09:21:55"}, {"action": "allowed", "dest": "ar-win.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\system32\\cmd.exe\" /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{C36AC009-F42B-65EE-9400-000000005403}", "parent_process_id": "5080", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{C36AC009-F42C-65EE-9600-000000005403}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2508", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:54:43", "lastTime": "2025-12-10T00:54:43"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{4C77B871-C156-6089-5F68-00000000BB01}", "parent_process_id": "3956", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4C77B871-C156-6089-5D68-00000000BB01}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{4C77B871-1F0A-6087-D810-00000000BB01}", "parent_process_id": "1724", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4C77B871-C156-6089-5D68-00000000BB01}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4C77B871-C156-6089-5D68-00000000BB01}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "sysmon64.exe", "parent_process_guid": "{4C77B871-9764-6086-1D00-00000000BB01}", "parent_process_id": "1844", "parent_process_name": "sysmon64.exe", "parent_process_path": "C:\\Windows\\sysmon64.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4C77B871-C156-6089-5D68-00000000BB01}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "project-london-host", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "wmiprvse.exe", "parent_process_guid": "{4C77B871-C122-6089-BA64-00000000BB01}", "parent_process_id": "2676", "parent_process_name": "wmiprvse.exe", "parent_process_path": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4C77B871-C156-6089-5D68-00000000BB01}", "process_hash": "null", "process_id": "2956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "80", "firstTime": "2025-12-09T22:41:14", "lastTime": "2025-12-09T22:41:14"}, {"action": "allowed", "dest": "soc101win11", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Users\\research\\AppData\\Local\\Programs\\cursor\\Cursor.exe\"", "parent_process_exec": "Cursor.exe", "parent_process_guid": "{8223a6b9-2289-6902-4904-000000002b00}", "parent_process_id": "3616", "parent_process_name": "Cursor.exe", "parent_process_path": "C:\\Users\\research\\AppData\\Local\\Programs\\cursor\\Cursor.exe", "process": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"%%windir%%\\System32\\REG.exe QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\"", "process_exec": "cmd.exe", "process_guid": "{8223a6b9-228c-6902-5504-000000002b00}", "process_hash": "MD5=90242B3940D153095204CCA04B83DCF3,SHA256=55D95D29D54112FC203D8B2D6335031FD0EF26C56C9459F239760C24DADD3F24,IMPHASH=B0F049C014592B156EB1FA857E99CEB9", "process_id": "12452", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T23:06:26", "lastTime": "2025-12-09T23:06:26"}, {"action": "allowed", "dest": "win-dc-11.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{4F975E20-F71D-5FC4-B600-000000009101}", "parent_process_id": "2664", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{4F975E20-F71D-5FC4-B900-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3644", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:58:16", "lastTime": "2025-12-10T02:58:16"}, {"action": "allowed", "dest": "win-dc-11.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{4F975E20-F71D-5FC4-B600-000000009101}", "parent_process_id": "2664", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4F975E20-F71D-5FC4-B900-000000009101}", "process_hash": "null", "process_id": "3644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:58:16", "lastTime": "2025-12-10T02:58:16"}, {"action": "allowed", "dest": "win-dc-11.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{4F975E20-F71D-5FC4-B700-000000009101}", "parent_process_id": "2656", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4F975E20-F71D-5FC4-B900-000000009101}", "process_hash": "null", "process_id": "3644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:58:16", "lastTime": "2025-12-10T02:58:16"}, {"action": "allowed", "dest": "win-dc-11.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{4F975E20-F6DE-5FC4-0500-000000009101}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{4F975E20-F71D-5FC4-B900-000000009101}", "process_hash": "null", "process_id": "3644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:58:16", "lastTime": "2025-12-10T02:58:16"}, {"action": "allowed", "dest": "win-dc-129.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{989E6708-06A0-5FA9-8500-000000008801}", "parent_process_id": "3088", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{989E6708-06A0-5FA9-8700-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2716", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:40:59", "lastTime": "2025-12-10T03:40:59"}, {"action": "allowed", "dest": "win-dc-129.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{989E6708-06A0-5FA9-8500-000000008801}", "parent_process_id": "3088", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{989E6708-06A0-5FA9-8700-000000008801}", "process_hash": "null", "process_id": "2716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:40:59", "lastTime": "2025-12-10T03:40:59"}, {"action": "allowed", "dest": "win-dc-129.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{989E6708-06A0-5FA9-8600-000000008801}", "parent_process_id": "4448", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{989E6708-06A0-5FA9-8700-000000008801}", "process_hash": "null", "process_id": "2716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:40:59", "lastTime": "2025-12-10T03:40:59"}, {"action": "allowed", "dest": "win-dc-129.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{989E6708-0661-5FA9-0500-000000008801}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{989E6708-06A0-5FA9-8700-000000008801}", "process_hash": "null", "process_id": "2716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:40:59", "lastTime": "2025-12-10T03:40:59"}, {"action": "allowed", "dest": "win-dc-156.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5ACC1F4D-4AF4-5F89-7E00-000000008801}", "parent_process_id": "4600", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{5ACC1F4D-4AF4-5F89-8000-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4640", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:39:02", "lastTime": "2025-12-10T07:39:02"}, {"action": "allowed", "dest": "win-dc-156.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5ACC1F4D-4AF4-5F89-7E00-000000008801}", "parent_process_id": "4600", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5ACC1F4D-4AF4-5F89-8000-000000008801}", "process_hash": "null", "process_id": "4640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:39:02", "lastTime": "2025-12-10T07:39:02"}, {"action": "allowed", "dest": "win-dc-156.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5ACC1F4D-4AF4-5F89-7F00-000000008801}", "parent_process_id": "4596", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5ACC1F4D-4AF4-5F89-8000-000000008801}", "process_hash": "null", "process_id": "4640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:39:02", "lastTime": "2025-12-10T07:39:02"}, {"action": "allowed", "dest": "win-dc-156.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5ACC1F4D-4AB4-5F89-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5ACC1F4D-4AF4-5F89-8000-000000008801}", "process_hash": "null", "process_id": "4640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:39:02", "lastTime": "2025-12-10T07:39:02"}, {"action": "allowed", "dest": "win-dc-169.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{84FDB31E-AD50-5FBB-0000-00105E120600}", "parent_process_id": "4476", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{84FDB31E-AD50-5FBB-0000-0010D4140600}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4636", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:01:04", "lastTime": "2025-12-10T06:01:04"}, {"action": "allowed", "dest": "win-dc-169.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{84FDB31E-AD50-5FBB-0000-00105E120600}", "parent_process_id": "4476", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{84FDB31E-AD50-5FBB-0000-0010D4140600}", "process_hash": "null", "process_id": "4636", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:01:04", "lastTime": "2025-12-10T06:01:04"}, {"action": "allowed", "dest": "win-dc-169.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{84FDB31E-AD50-5FBB-0000-0010DB120600}", "parent_process_id": "4524", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{84FDB31E-AD50-5FBB-0000-0010D4140600}", "process_hash": "null", "process_id": "4636", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:01:04", "lastTime": "2025-12-10T06:01:04"}, {"action": "allowed", "dest": "win-dc-169.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{84FDB31E-AD11-5FBB-0000-0010D2420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{84FDB31E-AD50-5FBB-0000-0010D4140600}", "process_hash": "null", "process_id": "4636", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:01:04", "lastTime": "2025-12-10T06:01:04"}, {"action": "allowed", "dest": "win-dc-1796611.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A5F018FF-28FC-5F80-8700-000000007F01}", "parent_process_id": "4484", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{A5F018FF-28FC-5F80-8900-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2872", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:19:40", "lastTime": "2025-12-10T08:19:40"}, {"action": "allowed", "dest": "win-dc-1796611.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A5F018FF-28FC-5F80-8700-000000007F01}", "parent_process_id": "4484", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5F018FF-28FC-5F80-8900-000000007F01}", "process_hash": "null", "process_id": "2872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:19:40", "lastTime": "2025-12-10T08:19:40"}, {"action": "allowed", "dest": "win-dc-1796611.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A5F018FF-28FC-5F80-8800-000000007F01}", "parent_process_id": "2356", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5F018FF-28FC-5F80-8900-000000007F01}", "process_hash": "null", "process_id": "2872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:19:40", "lastTime": "2025-12-10T08:19:40"}, {"action": "allowed", "dest": "win-dc-1796611.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A5F018FF-28BC-5F80-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5F018FF-28FC-5F80-8900-000000007F01}", "process_hash": "null", "process_id": "2872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:19:40", "lastTime": "2025-12-10T08:19:40"}, {"action": "allowed", "dest": "win-dc-18.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7B03F3B2-326C-609C-872D-00000000BA01}", "parent_process_id": "6892", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam %%temp%%\\sam & reg save HKLM\\system %%temp%%\\system & reg save HKLM\\security %%temp%%\\security\"", "process_exec": "cmd.exe", "process_guid": "{7B03F3B2-802A-609D-2256-00000000BA01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "8168", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "allowed", "dest": "win-dc-18.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7B03F3B2-326C-609C-882D-00000000BA01}", "parent_process_id": "6984", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7B03F3B2-802A-609D-2256-00000000BA01}", "process_hash": "null", "process_id": "8168", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "allowed", "dest": "win-dc-18.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7B03F3B2-319D-609C-402D-00000000BA01}", "parent_process_id": "2288", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7B03F3B2-802A-609D-2256-00000000BA01}", "process_hash": "null", "process_id": "8168", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "allowed", "dest": "win-dc-18.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7B03F3B2-326C-609C-872D-00000000BA01}", "parent_process_id": "6892", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7B03F3B2-802A-609D-2256-00000000BA01}", "process_hash": "null", "process_id": "8168", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:32:10", "lastTime": "2025-12-10T06:32:10"}, {"action": "allowed", "dest": "win-dc-185.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8D4DD44E-821F-616D-750A-000000000402}", "parent_process_id": "3004", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8D4DD44E-821F-616D-740A-000000000402}", "process_hash": "null", "process_id": "6444", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:38:38", "lastTime": "2025-12-09T22:38:38"}, {"action": "allowed", "dest": "win-dc-185.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8D4DD44E-D033-616F-CD02-000000000502}", "parent_process_id": "1116", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8D4DD44E-D033-616F-CC02-000000000502}", "process_hash": "null", "process_id": "1344", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:38:07", "lastTime": "2025-12-09T22:38:07"}, {"action": "allowed", "dest": "win-dc-185.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8D4DD44E-799F-616D-2309-000000000402}", "parent_process_id": "3768", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8D4DD44E-821F-616D-740A-000000000402}", "process_hash": "null", "process_id": "6444", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:38:38", "lastTime": "2025-12-09T22:38:38"}, {"action": "allowed", "dest": "win-dc-185.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8D4DD44E-C6A0-616F-7F01-000000000502}", "parent_process_id": "2160", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8D4DD44E-D033-616F-CC02-000000000502}", "process_hash": "null", "process_id": "1344", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:38:07", "lastTime": "2025-12-09T22:38:07"}, {"action": "allowed", "dest": "win-dc-235.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{2935EF20-8F37-5FD0-0000-00106ED90500}", "parent_process_id": "5076", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{2935EF20-8F37-5FD0-0000-0010E3DB0500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4128", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "allowed", "dest": "win-dc-235.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{2935EF20-8F37-5FD0-0000-00106ED90500}", "parent_process_id": "5076", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2935EF20-8F37-5FD0-0000-0010E3DB0500}", "process_hash": "null", "process_id": "4128", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "allowed", "dest": "win-dc-235.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{2935EF20-8F37-5FD0-0000-0010EAD90500}", "parent_process_id": "5084", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2935EF20-8F37-5FD0-0000-0010E3DB0500}", "process_hash": "null", "process_id": "4128", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "allowed", "dest": "win-dc-235.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{2935EF20-8EF8-5FD0-0000-0010ED420000}", "parent_process_id": "636", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2935EF20-8F37-5FD0-0000-0010E3DB0500}", "process_hash": "null", "process_id": "4128", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:59:03", "lastTime": "2025-12-10T03:59:03"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" _internal_extra_splunkd_service_args", "parent_process_exec": "splunk.exe", "parent_process_guid": "{08A6967A-4299-6000-4300-000000009A01}", "parent_process_id": "3992", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "C:\\Windows\\system32\\cmd.exe /c btool server list kvstore --no-log", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429A-6000-4B00-000000009A01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2920", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{08A6967A-4298-6000-3400-000000009A01}", "parent_process_id": "2316", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\WinNetMon.cmd\" --scheme\"", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429D-6000-6E00-000000009A01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2920", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08A6967A-42C5-6000-8F00-000000009A01}", "parent_process_id": "4352", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{08A6967A-42C5-6000-9100-000000009A01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2920", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{08A6967A-42C5-6000-8F00-000000009A01}", "parent_process_id": "4352", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-42C5-6000-9100-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{08A6967A-4299-6000-4100-000000009A01}", "parent_process_id": "3948", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429A-6000-4B00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{08A6967A-4299-6000-4100-000000009A01}", "parent_process_id": "3948", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429D-6000-6E00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{08A6967A-42C5-6000-9000-000000009A01}", "parent_process_id": "3148", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-42C5-6000-9100-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{08A6967A-4286-6000-0500-000000009A01}", "parent_process_id": "636", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429A-6000-4B00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{08A6967A-4286-6000-0500-000000009A01}", "parent_process_id": "636", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429D-6000-6E00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{08A6967A-4286-6000-0500-000000009A01}", "parent_process_id": "636", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-42C5-6000-9100-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunk.exe", "parent_process_guid": "{08A6967A-4299-6000-4300-000000009A01}", "parent_process_id": "3992", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429A-6000-4B00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-250.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{08A6967A-4298-6000-3400-000000009A01}", "parent_process_id": "2316", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{08A6967A-429D-6000-6E00-000000009A01}", "process_hash": "null", "process_id": "2920", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:31:52", "lastTime": "2025-12-10T01:31:52"}, {"action": "allowed", "dest": "win-dc-255.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89DCEC72-9B5C-5FB7-9300-000000009101}", "parent_process_id": "2420", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{89DCEC72-9B5C-5FB7-9500-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4468", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:20:57", "lastTime": "2025-12-10T05:20:57"}, {"action": "allowed", "dest": "win-dc-255.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89DCEC72-9B5C-5FB7-9300-000000009101}", "parent_process_id": "2420", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89DCEC72-9B5C-5FB7-9500-000000009101}", "process_hash": "null", "process_id": "4468", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:20:57", "lastTime": "2025-12-10T05:20:57"}, {"action": "allowed", "dest": "win-dc-255.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{89DCEC72-9B5C-5FB7-9400-000000009101}", "parent_process_id": "4388", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89DCEC72-9B5C-5FB7-9500-000000009101}", "process_hash": "null", "process_id": "4468", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:20:57", "lastTime": "2025-12-10T05:20:57"}, {"action": "allowed", "dest": "win-dc-255.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{89DCEC72-9B1D-5FB7-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89DCEC72-9B5C-5FB7-9500-000000009101}", "process_hash": "null", "process_id": "4468", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:20:57", "lastTime": "2025-12-10T05:20:57"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" _internal pre-flight-checks --answer-yes --no-prompt", "parent_process_exec": "splunk.exe", "parent_process_guid": "{34CA4CA7-2AA9-5FA9-B300-000000008801}", "parent_process_id": "4184", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "C:\\Windows\\system32\\cmd.exe /c btool server list replication_port --no-log", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2AAB-5FA9-BD00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4580", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{34CA4CA7-2A55-5FA9-7F00-000000008801}", "parent_process_id": "4484", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2A55-5FA9-8100-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4580", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{34CA4CA7-2A55-5FA9-7F00-000000008801}", "parent_process_id": "4484", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2A55-5FA9-8100-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{34CA4CA7-2A55-5FA9-8000-000000008801}", "parent_process_id": "4432", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2A55-5FA9-8100-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{34CA4CA7-2AA8-5FA9-A600-000000008801}", "parent_process_id": "4152", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2AAB-5FA9-BD00-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{34CA4CA7-2A15-5FA9-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2A55-5FA9-8100-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{34CA4CA7-2A15-5FA9-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2AAB-5FA9-BD00-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-259.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunk.exe", "parent_process_guid": "{34CA4CA7-2AA9-5FA9-B300-000000008801}", "parent_process_id": "4184", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{34CA4CA7-2AAB-5FA9-BD00-000000008801}", "process_hash": "null", "process_id": "4580", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-dc-272.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{8A675139-3B88-5FA5-7F00-000000008801}", "parent_process_id": "5060", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{8A675139-3B88-5FA5-8100-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5112", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T07:24:58", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-272.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{8A675139-3B88-5FA5-7F00-000000008801}", "parent_process_id": "5060", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8A675139-3B88-5FA5-8100-000000008801}", "process_hash": "null", "process_id": "5112", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T07:24:58", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-272.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8A675139-3B88-5FA5-8000-000000008801}", "parent_process_id": "5068", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8A675139-3B88-5FA5-8100-000000008801}", "process_hash": "null", "process_id": "5112", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T07:24:58", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-272.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8A675139-3B49-5FA5-0500-000000008801}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8A675139-3B88-5FA5-8100-000000008801}", "process_hash": "null", "process_id": "5112", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T07:24:58", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-281.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A8622C2F-3E2B-6078-8800-00000000AE01}", "parent_process_id": "4348", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{A8622C2F-3E2B-6078-8A00-00000000AE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4252", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:16:39", "lastTime": "2025-12-10T08:16:39"}, {"action": "allowed", "dest": "win-dc-299.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3CFDEE80-F8C9-605A-8900-00000000AE01}", "parent_process_id": "4488", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{3CFDEE80-F8C9-605A-8B00-00000000AE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4392", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "allowed", "dest": "win-dc-299.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3CFDEE80-F8C9-605A-8900-00000000AE01}", "parent_process_id": "4488", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3CFDEE80-F8C9-605A-8B00-00000000AE01}", "process_hash": "null", "process_id": "4392", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "allowed", "dest": "win-dc-299.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3CFDEE80-F8C9-605A-8A00-00000000AE01}", "parent_process_id": "4388", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3CFDEE80-F8C9-605A-8B00-00000000AE01}", "process_hash": "null", "process_id": "4392", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "allowed", "dest": "win-dc-299.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3CFDEE80-F889-605A-0500-00000000AE01}", "parent_process_id": "628", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3CFDEE80-F8C9-605A-8B00-00000000AE01}", "process_hash": "null", "process_id": "4392", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "allowed", "dest": "win-dc-342.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{F0120972-A0C4-5FBF-9700-000000009101}", "parent_process_id": "732", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{F0120972-A0C5-5FBF-9900-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2676", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:52:12", "lastTime": "2025-12-10T00:52:12"}, {"action": "allowed", "dest": "win-dc-342.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{F0120972-A0C4-5FBF-9700-000000009101}", "parent_process_id": "732", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F0120972-A0C5-5FBF-9900-000000009101}", "process_hash": "null", "process_id": "2676", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:52:12", "lastTime": "2025-12-10T00:52:12"}, {"action": "allowed", "dest": "win-dc-342.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{F0120972-A0C4-5FBF-9800-000000009101}", "parent_process_id": "4492", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F0120972-A0C5-5FBF-9900-000000009101}", "process_hash": "null", "process_id": "2676", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:52:12", "lastTime": "2025-12-10T00:52:12"}, {"action": "allowed", "dest": "win-dc-342.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{F0120972-A085-5FBF-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F0120972-A0C5-5FBF-9900-000000009101}", "process_hash": "null", "process_id": "2676", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:52:12", "lastTime": "2025-12-10T00:52:12"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{5D479F2C-1724-5F84-0D01-000000007F01}", "parent_process_id": "4552", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" _internal_extra_splunkd_service_args", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1725-5F84-1201-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4584", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADgAMgAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=", "parent_process_exec": "powershell.exe", "parent_process_guid": "{5D479F2C-1701-5F84-D600-000000007F01}", "parent_process_id": "3092", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\"", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1707-5F84-E100-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4584", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADgAMgAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=", "parent_process_exec": "powershell.exe", "parent_process_guid": "{5D479F2C-1701-5F84-D600-000000007F01}", "parent_process_id": "3092", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"systeminfo & reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\"", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1702-5F84-DB00-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4648", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5D479F2C-16DE-5F84-8600-000000007F01}", "parent_process_id": "4616", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-16DE-5F84-8800-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4716", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5D479F2C-16DE-5F84-8600-000000007F01}", "parent_process_id": "4616", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-16DE-5F84-8800-000000007F01}", "process_hash": "null", "process_id": "4716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5D479F2C-16DE-5F84-8700-000000007F01}", "parent_process_id": "4624", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-16DE-5F84-8800-000000007F01}", "process_hash": "null", "process_id": "4716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5D479F2C-1700-5F84-CF00-000000007F01}", "parent_process_id": "1232", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1702-5F84-DB00-000000007F01}", "process_hash": "null", "process_id": "4648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5D479F2C-1700-5F84-CF00-000000007F01}", "parent_process_id": "1232", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1707-5F84-E100-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5D479F2C-1725-5F84-1101-000000007F01}", "parent_process_id": "4236", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1725-5F84-1201-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5D479F2C-169F-5F84-0500-000000007F01}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-16DE-5F84-8800-000000007F01}", "process_hash": "null", "process_id": "4716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5D479F2C-169F-5F84-0500-000000007F01}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1702-5F84-DB00-000000007F01}", "process_hash": "null", "process_id": "4648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5D479F2C-169F-5F84-0500-000000007F01}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1707-5F84-E100-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5D479F2C-169F-5F84-0500-000000007F01}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1725-5F84-1201-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{5D479F2C-1701-5F84-D600-000000007F01}", "parent_process_id": "3092", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1702-5F84-DB00-000000007F01}", "process_hash": "null", "process_id": "4648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{5D479F2C-1701-5F84-D600-000000007F01}", "parent_process_id": "3092", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1707-5F84-E100-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-3574060.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{5D479F2C-1724-5F84-0D01-000000007F01}", "parent_process_id": "4552", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5D479F2C-1725-5F84-1201-000000007F01}", "process_hash": "null", "process_id": "4584", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:50:14", "lastTime": "2025-12-10T08:50:14"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{928AB1BB-E4F3-60C1-8300-00000000C401}", "parent_process_id": "2888", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E4F3-60C1-8500-00000000C401}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2692", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{928AB1BB-E4F3-60C1-8300-00000000C401}", "parent_process_id": "2888", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E4F3-60C1-8500-00000000C401}", "process_hash": "null", "process_id": "2692", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{928AB1BB-E4F3-60C1-8400-00000000C401}", "parent_process_id": "3036", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E4F3-60C1-8500-00000000C401}", "process_hash": "null", "process_id": "2692", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{928AB1BB-E86F-60C1-4904-00000000C401}", "parent_process_id": "5616", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E86F-60C1-4804-00000000C401}", "process_hash": "null", "process_id": "4160", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{928AB1BB-E4B3-60C1-0500-00000000C401}", "parent_process_id": "408", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E4F3-60C1-8500-00000000C401}", "process_hash": "null", "process_id": "2692", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-365.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{928AB1BB-E72D-60C1-3D01-00000000C401}", "parent_process_id": "4384", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{928AB1BB-E86F-60C1-4804-00000000C401}", "process_hash": "null", "process_id": "4160", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-dc-397.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E983936C-B3CD-6006-8A00-00000000A301}", "parent_process_id": "4384", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{E983936C-B3CD-6006-8C00-00000000A301}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4544", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "allowed", "dest": "win-dc-397.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E983936C-B3CD-6006-8A00-00000000A301}", "parent_process_id": "4384", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E983936C-B3CD-6006-8C00-00000000A301}", "process_hash": "null", "process_id": "4544", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "allowed", "dest": "win-dc-397.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E983936C-B3CD-6006-8B00-00000000A301}", "parent_process_id": "4488", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E983936C-B3CD-6006-8C00-00000000A301}", "process_hash": "null", "process_id": "4544", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "allowed", "dest": "win-dc-397.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E983936C-B38D-6006-0500-00000000A301}", "parent_process_id": "636", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E983936C-B3CD-6006-8C00-00000000A301}", "process_hash": "null", "process_id": "4544", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:01:04", "lastTime": "2025-12-10T04:01:04"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe\" _internal pre-flight-checks --answer-yes --no-prompt", "parent_process_exec": "splunk.exe", "parent_process_guid": "{5EBD8912-8CD2-6151-4500-00000000FD01}", "parent_process_id": "3808", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "C:\\Windows\\system32\\cmd.exe /c btool server list replication_port --no-log", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CD4-6151-5700-00000000FD01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3680", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5EBD8912-18E9-6154-7900-00000000FE01}", "parent_process_id": "588", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-18E9-6154-7B00-00000000FE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1316", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5EBD8912-8CFD-6151-7900-00000000FD01}", "parent_process_id": "3816", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CFD-6151-7B00-00000000FD01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3680", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5EBD8912-18E9-6154-7900-00000000FE01}", "parent_process_id": "588", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-18E9-6154-7B00-00000000FE01}", "process_hash": "null", "process_id": "1316", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5EBD8912-8CFD-6151-7900-00000000FD01}", "parent_process_id": "3816", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CFD-6151-7B00-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-18E9-6154-7A00-00000000FE01}", "parent_process_id": "648", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-18E9-6154-7B00-00000000FE01}", "process_hash": "null", "process_id": "1316", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-1A12-6154-C600-00000000FE01}", "parent_process_id": "4836", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-1A12-6154-C500-00000000FE01}", "process_hash": "null", "process_id": "4592", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-85DC-6151-8C79-00000000FC01}", "parent_process_id": "32", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-85DC-6151-8B79-00000000FC01}", "process_hash": "null", "process_id": "4220", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:38:14", "lastTime": "2025-12-10T04:38:14"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-8CD1-6151-3500-00000000FD01}", "parent_process_id": "3436", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CD4-6151-5700-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-8CFD-6151-7A00-00000000FD01}", "parent_process_id": "3408", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CFD-6151-7B00-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-8E1C-6151-C900-00000000FD01}", "parent_process_id": "1672", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8E1C-6151-C800-00000000FD01}", "process_hash": "null", "process_id": "3608", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5EBD8912-D0BD-6152-ED26-00000000FD01}", "parent_process_id": "2084", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-D0BD-6152-EC26-00000000FD01}", "process_hash": "null", "process_id": "3012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:38:29", "lastTime": "2025-12-10T03:38:29"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-18A9-6154-0500-00000000FE01}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-18E9-6154-7B00-00000000FE01}", "process_hash": "null", "process_id": "1316", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-194C-6154-9000-00000000FE01}", "parent_process_id": "2844", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-1A12-6154-C500-00000000FE01}", "process_hash": "null", "process_id": "4592", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-79BB-6151-D077-00000000FC01}", "parent_process_id": "4612", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-85DC-6151-8B79-00000000FC01}", "process_hash": "null", "process_id": "4220", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:38:14", "lastTime": "2025-12-10T04:38:14"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-8CBD-6151-0500-00000000FD01}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CD4-6151-5700-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-8CBD-6151-0500-00000000FD01}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CFD-6151-7B00-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-8D26-6151-8500-00000000FD01}", "parent_process_id": "2760", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8E1C-6151-C800-00000000FD01}", "process_hash": "null", "process_id": "3608", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5EBD8912-8D26-6151-8500-00000000FD01}", "parent_process_id": "2760", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-D0BD-6152-EC26-00000000FD01}", "process_hash": "null", "process_id": "3012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:38:29", "lastTime": "2025-12-10T03:38:29"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunk.exe", "parent_process_guid": "{5EBD8912-8CD2-6151-4500-00000000FD01}", "parent_process_id": "3808", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8CD4-6151-5700-00000000FD01}", "process_hash": "null", "process_id": "3680", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:15:25", "lastTime": "2025-12-10T07:15:25"}, {"action": "allowed", "dest": "win-dc-429.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{5EBD8912-8CBF-6151-0C00-00000000FD01}", "parent_process_id": "844", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\system32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5EBD8912-8E1C-6151-C800-00000000FD01}", "process_hash": "null", "process_id": "3608", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T03:38:29", "lastTime": "2025-12-10T03:38:29"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E531255-3CAF-5FCF-0000-001097D40500}", "parent_process_id": "3032", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{7E531255-3CAF-5FCF-0000-00100FD70500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2188", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{B0A3CCD1-905B-5FCF-0000-0010E4EE0500}", "parent_process_id": "4552", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{B0A3CCD1-905B-5FCF-0000-00105BF10500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4684", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E531255-3CAF-5FCF-0000-001097D40500}", "parent_process_id": "3032", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E531255-3C72-5FCF-0000-0010A6420100}", "process_hash": "null", "process_id": "2188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{B0A3CCD1-905B-5FCF-0000-0010E4EE0500}", "parent_process_id": "4552", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B0A3CCD1-905B-5FCF-0000-00105BF10500}", "process_hash": "null", "process_id": "4684", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E531255-3CAF-5FCF-0000-001015D50500}", "parent_process_id": "3652", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E531255-3C72-5FCF-0000-0010A6420100}", "process_hash": "null", "process_id": "2188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{B0A3CCD1-905B-5FCF-0000-001062EF0500}", "parent_process_id": "4604", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B0A3CCD1-905B-5FCF-0000-00105BF10500}", "process_hash": "null", "process_id": "4684", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E531255-3C6F-5FCF-0000-0010FC420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E531255-3C72-5FCF-0000-0010A6420100}", "process_hash": "null", "process_id": "2188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:43", "lastTime": "2025-12-10T02:42:43"}, {"action": "allowed", "dest": "win-dc-431.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{B0A3CCD1-901C-5FCF-0000-0010E2420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B0A3CCD1-905B-5FCF-0000-00105BF10500}", "process_hash": "null", "process_id": "4684", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:39:53", "lastTime": "2025-12-10T01:39:53"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BE-5FB4-0000-0010A6980A00}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4768", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:02", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-0010A6670A00}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2152", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-00101C560A00}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1840", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B9-5FB4-0000-001032E50900}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4736", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:57", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f & reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f & fodhelper.exe\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B4-5FB4-0000-0010CB440900}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3796", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQAOAAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f & cmd.exe /c eventvwr.msc\"", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B4-5FB4-0000-0010F1190900}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "932", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{31314CAD-F26C-5FB4-0000-0010A6D10500}", "parent_process_id": "5044", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F26C-5FB4-0000-00101DD40500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5092", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:07:40", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{31314CAD-F26C-5FB4-0000-0010A6D10500}", "parent_process_id": "5044", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F26C-5FB4-0000-00101DD40500}", "process_hash": "null", "process_id": "5092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:07:40", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F26C-5FB4-0000-001024D20500}", "parent_process_id": "5052", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F26C-5FB4-0000-00101DD40500}", "process_hash": "null", "process_id": "5092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:07:40", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2B2-5FB4-0000-00103BB60800}", "parent_process_id": "4980", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F28C-5FB4-0000-00103D630600}", "process_hash": "null", "process_id": "932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2B2-5FB4-0000-00103BB60800}", "parent_process_id": "4980", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B4-5FB4-0000-0010CB440900}", "process_hash": "null", "process_id": "3796", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2B2-5FB4-0000-00103BB60800}", "parent_process_id": "4980", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B9-5FB4-0000-001032E50900}", "process_hash": "null", "process_id": "4736", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:57", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2BA-5FB4-0000-001026FF0900}", "parent_process_id": "4152", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F288-5FB4-0000-0010D6030600}", "process_hash": "null", "process_id": "4768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:02", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2BA-5FB4-0000-001026FF0900}", "parent_process_id": "4152", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-00101C560A00}", "process_hash": "null", "process_id": "1840", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{31314CAD-F2BA-5FB4-0000-001026FF0900}", "parent_process_id": "4152", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-0010A6670A00}", "process_hash": "null", "process_id": "2152", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F26C-5FB4-0000-00101DD40500}", "process_hash": "null", "process_id": "5092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:07:40", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F288-5FB4-0000-0010D6030600}", "process_hash": "null", "process_id": "4768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:02", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F28C-5FB4-0000-00103D630600}", "process_hash": "null", "process_id": "932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B4-5FB4-0000-0010CB440900}", "process_hash": "null", "process_id": "3796", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B9-5FB4-0000-001032E50900}", "process_hash": "null", "process_id": "4736", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:57", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-00101C560A00}", "process_hash": "null", "process_id": "1840", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{31314CAD-F22D-5FB4-0000-0010D9420000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-0010A6670A00}", "process_hash": "null", "process_id": "2152", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F28C-5FB4-0000-00103D630600}", "process_hash": "null", "process_id": "932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "8", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B4-5FB4-0000-0010CB440900}", "process_hash": "null", "process_id": "3796", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "8", "firstTime": "2020-11-18T10:08:52", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B5-5FB4-0000-0010516E0900}", "process_hash": "null", "process_id": "4736", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:57", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2B3-5FB4-0000-00105AE30800}", "parent_process_id": "3304", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2B9-5FB4-0000-001032E50900}", "process_hash": "null", "process_id": "4736", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2020-11-18T10:08:57", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F288-5FB4-0000-0010D6030600}", "process_hash": "null", "process_id": "4768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "8", "firstTime": "2020-11-18T10:09:02", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-00101C560A00}", "process_hash": "null", "process_id": "1840", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "8", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-444.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{31314CAD-F2BC-5FB4-0000-00104D310A00}", "parent_process_id": "1180", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{31314CAD-F2BD-5FB4-0000-0010A6670A00}", "process_hash": "null", "process_id": "2152", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "8", "firstTime": "2020-11-18T10:09:01", "lastTime": "2025-12-10T06:33:10"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{323FE7D8-1F82-6136-7909-00000000F001}", "parent_process_id": "3192", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1F82-6136-7809-00000000F001}", "process_hash": "null", "process_id": "3876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:02:42", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{323FE7D8-1FC2-6136-8809-00000000F001}", "parent_process_id": "4052", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1FC2-6136-8709-00000000F001}", "process_hash": "null", "process_id": "3716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:03:46", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{323FE7D8-0537-6136-5702-00000000F001}", "parent_process_id": "2756", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1F82-6136-7809-00000000F001}", "process_hash": "null", "process_id": "3876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:02:42", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{323FE7D8-0537-6136-5702-00000000F001}", "parent_process_id": "2756", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1FC2-6136-8709-00000000F001}", "process_hash": "null", "process_id": "3716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:03:46", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{323FE7D8-022E-6136-1200-00000000F001}", "parent_process_id": "768", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1F82-6136-7809-00000000F001}", "process_hash": "null", "process_id": "3876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:02:42", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-456.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{323FE7D8-022E-6136-1200-00000000F001}", "parent_process_id": "768", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{323FE7D8-1FC2-6136-8709-00000000F001}", "process_hash": "null", "process_id": "3716", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2021-09-06T14:03:46", "lastTime": "2026-01-23T21:49:41"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{2CC55DE6-6B54-5FB6-0000-0010874A0600}", "parent_process_id": "4528", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\perfmon.cmd\" --scheme\"", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B58-5FB6-0000-0010C8960600}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5024", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{2CC55DE6-6B00-5FB6-0000-00109ED70500}", "parent_process_id": "4976", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B00-5FB6-0000-001014DA0500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5024", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{2CC55DE6-6B00-5FB6-0000-00109ED70500}", "parent_process_id": "4976", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B00-5FB6-0000-001014DA0500}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{2CC55DE6-6B00-5FB6-0000-00101BD80500}", "parent_process_id": "4984", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B00-5FB6-0000-001014DA0500}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{2CC55DE6-6B54-5FB6-0000-00105D4F0600}", "parent_process_id": "4708", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B58-5FB6-0000-0010C8960600}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{2CC55DE6-6AC0-5FB6-0000-001004430000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B00-5FB6-0000-001014DA0500}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{2CC55DE6-6AC0-5FB6-0000-001004430000}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B58-5FB6-0000-0010C8960600}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-480.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{2CC55DE6-6B54-5FB6-0000-0010874A0600}", "parent_process_id": "4528", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{2CC55DE6-6B58-5FB6-0000-0010C8960600}", "process_hash": "null", "process_id": "5024", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:44:55", "lastTime": "2025-12-10T01:44:55"}, {"action": "allowed", "dest": "win-dc-493.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{AC4A1902-7A4F-5FCF-AD00-000000009101}", "parent_process_id": "4116", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{AC4A1902-7A4F-5FCF-AF00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5016", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:17:39", "lastTime": "2025-12-10T04:17:39"}, {"action": "allowed", "dest": "win-dc-493.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{AC4A1902-7A4F-5FCF-AD00-000000009101}", "parent_process_id": "4116", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{AC4A1902-7A4F-5FCF-AF00-000000009101}", "process_hash": "null", "process_id": "5016", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:17:39", "lastTime": "2025-12-10T04:17:39"}, {"action": "allowed", "dest": "win-dc-493.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{AC4A1902-7A4F-5FCF-AE00-000000009101}", "parent_process_id": "4916", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{AC4A1902-7A4F-5FCF-AF00-000000009101}", "process_hash": "null", "process_id": "5016", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:17:39", "lastTime": "2025-12-10T04:17:39"}, {"action": "allowed", "dest": "win-dc-493.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{AC4A1902-7A10-5FCF-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{AC4A1902-7A4F-5FCF-AF00-000000009101}", "process_hash": "null", "process_id": "5016", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:17:39", "lastTime": "2025-12-10T04:17:39"}, {"action": "allowed", "dest": "win-dc-495.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{59A5CD1D-8E83-6005-8700-00000000A301}", "parent_process_id": "4328", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{59A5CD1D-8E83-6005-8900-00000000A301}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4368", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "allowed", "dest": "win-dc-495.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{59A5CD1D-8E83-6005-8700-00000000A301}", "parent_process_id": "4328", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{59A5CD1D-8E83-6005-8900-00000000A301}", "process_hash": "null", "process_id": "4368", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "allowed", "dest": "win-dc-495.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{59A5CD1D-8E83-6005-8800-00000000A301}", "parent_process_id": "4304", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{59A5CD1D-8E83-6005-8900-00000000A301}", "process_hash": "null", "process_id": "4368", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "allowed", "dest": "win-dc-495.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{59A5CD1D-8E44-6005-0500-00000000A301}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{59A5CD1D-8E83-6005-8900-00000000A301}", "process_hash": "null", "process_id": "4368", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:18:40", "lastTime": "2025-12-10T08:18:40"}, {"action": "allowed", "dest": "win-dc-4997286.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{94F99722-33EA-5F80-8500-000000007F01}", "parent_process_id": "4444", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{94F99722-33EB-5F80-8700-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3932", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:12:55", "lastTime": "2025-12-10T07:12:55"}, {"action": "allowed", "dest": "win-dc-4997286.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{94F99722-33EA-5F80-8500-000000007F01}", "parent_process_id": "4444", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{94F99722-33EB-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "3932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:12:55", "lastTime": "2025-12-10T07:12:55"}, {"action": "allowed", "dest": "win-dc-4997286.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{94F99722-33EA-5F80-8600-000000007F01}", "parent_process_id": "2612", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{94F99722-33EB-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "3932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:12:55", "lastTime": "2025-12-10T07:12:55"}, {"action": "allowed", "dest": "win-dc-4997286.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{94F99722-33AB-5F80-0500-000000007F01}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{94F99722-33EB-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "3932", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:12:55", "lastTime": "2025-12-10T07:12:55"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMQAyACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C040-5FC0-6801-000000009101}", "parent_process_id": "3896", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\C:\\Windows\\System32\\calc.exe\" /v Debugger /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C041-5FC0-6F01-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1888", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMQAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C03E-5FC0-5201-000000009101}", "parent_process_id": "4928", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\C:\\Windows\\System32\\calc.exe\" /v Debugger /d \"C:\\Windows\\System32\\cmd.exe\"\"", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5801-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "900", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANgAuADAAMQAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C03E-5FC0-5201-000000009101}", "parent_process_id": "4928", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\C:\\Windows\\System32\\notepad.exe\" /v GlobalFlag /t REG_DWORD /d 512 & REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\C:\\Windows\\System32\\notepad.exe\" /v ReportingMode /t REG_DWORD /d 1 & REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\C:\\Windows\\System32\\notepad.exe\" /v MonitorProcess /d \"C:\\Windows\\System32\\cmd.exe\"\"", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5A01-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4784", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E77FF980-BEEB-5FC0-8B00-000000009101}", "parent_process_id": "5052", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{E77FF980-BEEB-5FC0-8D00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5104", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E77FF980-BEEB-5FC0-8B00-000000009101}", "parent_process_id": "5052", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-BEEB-5FC0-8D00-000000009101}", "process_hash": "null", "process_id": "5104", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E77FF980-BEEB-5FC0-8C00-000000009101}", "parent_process_id": "5060", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-BEEB-5FC0-8D00-000000009101}", "process_hash": "null", "process_id": "5104", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E77FF980-C03D-5FC0-4B01-000000009101}", "parent_process_id": "4244", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5801-000000009101}", "process_hash": "null", "process_id": "900", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E77FF980-C03D-5FC0-4B01-000000009101}", "parent_process_id": "4244", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5A01-000000009101}", "process_hash": "null", "process_id": "4784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E77FF980-C03F-5FC0-6001-000000009101}", "parent_process_id": "3404", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C041-5FC0-6F01-000000009101}", "process_hash": "null", "process_id": "1888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E77FF980-BEAC-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-BEEB-5FC0-8D00-000000009101}", "process_hash": "null", "process_id": "5104", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E77FF980-BEAC-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5801-000000009101}", "process_hash": "null", "process_id": "900", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E77FF980-BEAC-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5A01-000000009101}", "process_hash": "null", "process_id": "4784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E77FF980-BEAC-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C041-5FC0-6F01-000000009101}", "process_hash": "null", "process_id": "1888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C03E-5FC0-5201-000000009101}", "parent_process_id": "4928", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5801-000000009101}", "process_hash": "null", "process_id": "900", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C03E-5FC0-5201-000000009101}", "parent_process_id": "4928", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C03F-5FC0-5A01-000000009101}", "process_hash": "null", "process_id": "4784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-500.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E77FF980-C040-5FC0-6801-000000009101}", "parent_process_id": "3896", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E77FF980-C041-5FC0-6F01-000000009101}", "process_hash": "null", "process_id": "1888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:39:12", "lastTime": "2025-12-10T06:39:12"}, {"action": "allowed", "dest": "win-dc-549.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{EF7148D2-9B95-5FB7-9C00-000000009101}", "parent_process_id": "4852", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{EF7148D2-9B95-5FB7-9F00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5076", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:56:03", "lastTime": "2025-12-10T03:56:03"}, {"action": "allowed", "dest": "win-dc-549.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{EF7148D2-9B95-5FB7-9C00-000000009101}", "parent_process_id": "4852", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{EF7148D2-9B95-5FB7-9F00-000000009101}", "process_hash": "null", "process_id": "5076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:56:03", "lastTime": "2025-12-10T03:56:03"}, {"action": "allowed", "dest": "win-dc-549.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{EF7148D2-9B95-5FB7-9D00-000000009101}", "parent_process_id": "4844", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{EF7148D2-9B95-5FB7-9F00-000000009101}", "process_hash": "null", "process_id": "5076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:56:03", "lastTime": "2025-12-10T03:56:03"}, {"action": "allowed", "dest": "win-dc-549.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{EF7148D2-9B56-5FB7-0500-000000009101}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{EF7148D2-9B95-5FB7-9F00-000000009101}", "process_hash": "null", "process_id": "5076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:56:03", "lastTime": "2025-12-10T03:56:03"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E036F963-917D-5FB7-0000-0010AA352700}", "parent_process_id": "4440", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam %%temp%%\\sam & reg save HKLM\\system %%temp%%\\system & reg save HKLM\\security %%temp%%\\security\"", "process_exec": "cmd.exe", "process_guid": "{E036F963-917F-5FB7-0000-0010F5572700}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5868", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E036F963-88C4-5FB7-0000-0010E3CA0500}", "parent_process_id": "4908", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{E036F963-88C4-5FB7-0000-00105ACD0500}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4956", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E036F963-88C4-5FB7-0000-0010E3CA0500}", "parent_process_id": "4908", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-88C4-5FB7-0000-00105ACD0500}", "process_hash": "null", "process_id": "4956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E036F963-88C4-5FB7-0000-001061CB0500}", "parent_process_id": "4916", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-88C4-5FB7-0000-00105ACD0500}", "process_hash": "null", "process_id": "4956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E036F963-917C-5FB7-0000-00108C0F2700}", "parent_process_id": "2088", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-9177-5FB7-0000-001094742600}", "process_hash": "null", "process_id": "5868", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E036F963-8885-5FB7-0000-0010B4420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-88C4-5FB7-0000-00105ACD0500}", "process_hash": "null", "process_id": "4956", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E036F963-8885-5FB7-0000-0010B4420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-9177-5FB7-0000-001094742600}", "process_hash": "null", "process_id": "5868", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-555.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{E036F963-917D-5FB7-0000-0010AA352700}", "parent_process_id": "4440", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E036F963-9177-5FB7-0000-001094742600}", "process_hash": "null", "process_id": "5868", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T04:03:35", "lastTime": "2025-12-10T04:03:35"}, {"action": "allowed", "dest": "win-dc-61.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D14C3FAC-1C9C-5FCE-B000-000000009101}", "parent_process_id": "4756", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{D14C3FAC-1C9C-5FCE-B200-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4652", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:39:08", "lastTime": "2025-12-10T02:39:08"}, {"action": "allowed", "dest": "win-dc-61.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D14C3FAC-1C9C-5FCE-B000-000000009101}", "parent_process_id": "4756", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D14C3FAC-1C9C-5FCE-B200-000000009101}", "process_hash": "null", "process_id": "4652", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:39:08", "lastTime": "2025-12-10T02:39:08"}, {"action": "allowed", "dest": "win-dc-61.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D14C3FAC-1C9C-5FCE-B100-000000009101}", "parent_process_id": "4824", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D14C3FAC-1C9C-5FCE-B200-000000009101}", "process_hash": "null", "process_id": "4652", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:39:08", "lastTime": "2025-12-10T02:39:08"}, {"action": "allowed", "dest": "win-dc-61.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D14C3FAC-1C5C-5FCE-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D14C3FAC-1C9C-5FCE-B200-000000009101}", "process_hash": "null", "process_id": "4652", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:39:08", "lastTime": "2025-12-10T02:39:08"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{7E7FFDA1-1941-5FCE-0000-0010A5780600}", "parent_process_id": "868", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\WinPrintMon.cmd\" --scheme\"", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-1946-5FCE-0000-0010E9C60600}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4236", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010920B0600}", "parent_process_id": "4172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010080E0600}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4236", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010920B0600}", "parent_process_id": "4172", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010080E0600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E7FFDA1-18EE-5FCE-0000-00100F0C0600}", "parent_process_id": "4164", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010080E0600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E7FFDA1-1942-5FCE-0000-0010B3850600}", "parent_process_id": "4688", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-1946-5FCE-0000-0010E9C60600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E7FFDA1-18AF-5FCE-0000-0010FA420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-18EE-5FCE-0000-0010080E0600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E7FFDA1-18AF-5FCE-0000-0010FA420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-1946-5FCE-0000-0010E9C60600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-633.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "splunkd.exe", "parent_process_guid": "{7E7FFDA1-1941-5FCE-0000-0010A5780600}", "parent_process_id": "868", "parent_process_name": "splunkd.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E7FFDA1-1946-5FCE-0000-0010E9C60600}", "process_hash": "null", "process_id": "4236", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:55:46", "lastTime": "2025-12-10T08:55:46"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7E748F86-8D3D-5FBB-0000-00102EEB0A00}", "parent_process_id": "4692", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Local Port\" /v Driver /t REG_SZ /d localspl.dll /f\"", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3E-5FBB-0000-0010FE0D0B00}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2768", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7E748F86-8D3A-5FBB-0000-0010C7970A00}", "parent_process_id": "2484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg.exe ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\Local Port\" /v Driver /t REG_SZ /d C:\\AtomicRedTeam\\atomics\\T1547.010\\src\\x64\\T1547.dll /f\"", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3C-5FBB-0000-001080BD0A00}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3200", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E748F86-8CAA-5FBB-0000-001027310600}", "parent_process_id": "4076", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8CAA-5FBB-0000-00108A330600}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3188", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7E748F86-8CAA-5FBB-0000-001027310600}", "parent_process_id": "4076", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8CAA-5FBB-0000-00108A330600}", "process_hash": "null", "process_id": "3188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E748F86-8CAA-5FBB-0000-001097310600}", "parent_process_id": "4156", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8CAA-5FBB-0000-00108A330600}", "process_hash": "null", "process_id": "3188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E748F86-8D39-5FBB-0000-0010A26F0A00}", "parent_process_id": "3236", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3C-5FBB-0000-001080BD0A00}", "process_hash": "null", "process_id": "3200", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7E748F86-8D3C-5FBB-0000-00107AC30A00}", "parent_process_id": "3856", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3E-5FBB-0000-0010FE0D0B00}", "process_hash": "null", "process_id": "2768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E748F86-8C6B-5FBB-0000-0010E8420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8CAA-5FBB-0000-00108A330600}", "process_hash": "null", "process_id": "3188", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E748F86-8C6B-5FBB-0000-0010E8420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3C-5FBB-0000-001080BD0A00}", "process_hash": "null", "process_id": "3200", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7E748F86-8C6B-5FBB-0000-0010E8420000}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3E-5FBB-0000-0010FE0D0B00}", "process_hash": "null", "process_id": "2768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7E748F86-8D3A-5FBB-0000-0010C7970A00}", "parent_process_id": "2484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3C-5FBB-0000-001080BD0A00}", "process_hash": "null", "process_id": "3200", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-638.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7E748F86-8D3D-5FBB-0000-00102EEB0A00}", "parent_process_id": "4692", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7E748F86-8D3E-5FBB-0000-0010FE0D0B00}", "process_hash": "null", "process_id": "2768", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:58:52", "lastTime": "2025-12-10T06:58:52"}, {"action": "allowed", "dest": "win-dc-676.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{6EDEAD03-E7AF-615E-9201-00000000FD01}", "parent_process_id": "1908", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6EDEAD03-E7AF-615E-9101-00000000FD01}", "process_hash": "null", "process_id": "1928", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:51:11", "lastTime": "2025-12-10T00:35:35"}, {"action": "allowed", "dest": "win-dc-676.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{6EDEAD03-E8FF-615E-C401-00000000FD01}", "parent_process_id": "6136", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6EDEAD03-E8FF-615E-C301-00000000FD01}", "process_hash": "null", "process_id": "6924", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:51:11", "lastTime": "2025-12-10T00:35:35"}, {"action": "allowed", "dest": "win-dc-676.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{6EDEAD03-E40D-615E-DD00-00000000FD01}", "parent_process_id": "2772", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6EDEAD03-E7AF-615E-9101-00000000FD01}", "process_hash": "null", "process_id": "1928", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:51:11", "lastTime": "2025-12-10T00:35:35"}, {"action": "allowed", "dest": "win-dc-676.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{6EDEAD03-E40D-615E-DD00-00000000FD01}", "parent_process_id": "2772", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6EDEAD03-E8FF-615E-C301-00000000FD01}", "process_hash": "null", "process_id": "6924", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:51:11", "lastTime": "2025-12-10T00:35:35"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{96128EA2-F211-5F7E-DF00-000000007F01}", "parent_process_id": "4624", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam %%temp%%\\sam & reg save HKLM\\system %%temp%%\\system & reg save HKLM\\security %%temp%%\\security\"", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F212-5F7E-E400-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2296", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{96128EA2-F1E4-5F7E-9C00-000000007F01}", "parent_process_id": "4224", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F1E4-5F7E-9E00-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "604", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{96128EA2-F1E4-5F7E-9C00-000000007F01}", "parent_process_id": "4224", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F1E4-5F7E-9E00-000000007F01}", "process_hash": "null", "process_id": "604", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{96128EA2-F1E4-5F7E-9D00-000000007F01}", "parent_process_id": "4936", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F1E4-5F7E-9E00-000000007F01}", "process_hash": "null", "process_id": "604", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{96128EA2-F210-5F7E-D800-000000007F01}", "parent_process_id": "4640", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F212-5F7E-E400-000000007F01}", "process_hash": "null", "process_id": "2296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{96128EA2-F1A6-5F7E-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F1E4-5F7E-9E00-000000007F01}", "process_hash": "null", "process_id": "604", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{96128EA2-F1A6-5F7E-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F212-5F7E-E400-000000007F01}", "process_hash": "null", "process_id": "2296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-6764986.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{96128EA2-F211-5F7E-DF00-000000007F01}", "parent_process_id": "4624", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{96128EA2-F212-5F7E-E400-000000007F01}", "process_hash": "null", "process_id": "2296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:12:36", "lastTime": "2025-12-10T06:12:36"}, {"action": "allowed", "dest": "win-dc-7216619.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{733EE690-3E36-5F80-8500-000000007F01}", "parent_process_id": "4404", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{733EE690-3E36-5F80-8700-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4436", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:19:24", "lastTime": "2025-12-10T00:44:07"}, {"action": "allowed", "dest": "win-dc-7216619.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{733EE690-3E36-5F80-8500-000000007F01}", "parent_process_id": "4404", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{733EE690-3E36-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "4436", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:19:24", "lastTime": "2025-12-10T00:44:07"}, {"action": "allowed", "dest": "win-dc-7216619.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{733EE690-3E36-5F80-8600-000000007F01}", "parent_process_id": "4084", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{733EE690-3E36-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "4436", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:19:24", "lastTime": "2025-12-10T00:44:07"}, {"action": "allowed", "dest": "win-dc-7216619.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{733EE690-3DF7-5F80-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{733EE690-3E36-5F80-8700-000000007F01}", "process_hash": "null", "process_id": "4436", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:19:24", "lastTime": "2025-12-10T00:44:07"}, {"action": "allowed", "dest": "win-dc-73.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{6423918C-7F52-604B-8A00-00000000AD01}", "parent_process_id": "3328", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{6423918C-7F52-604B-8C00-00000000AD01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4004", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "allowed", "dest": "win-dc-73.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{6423918C-7F52-604B-8A00-00000000AD01}", "parent_process_id": "3328", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6423918C-7F52-604B-8C00-00000000AD01}", "process_hash": "null", "process_id": "4004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "allowed", "dest": "win-dc-73.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{6423918C-7F52-604B-8B00-00000000AD01}", "parent_process_id": "1564", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6423918C-7F52-604B-8C00-00000000AD01}", "process_hash": "null", "process_id": "4004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "allowed", "dest": "win-dc-73.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{6423918C-7F11-604B-0500-00000000AD01}", "parent_process_id": "624", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{6423918C-7F52-604B-8C00-00000000AD01}", "process_hash": "null", "process_id": "4004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "allowed", "dest": "win-dc-748.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{573C7F3B-9D42-5FAA-7D00-000000008801}", "parent_process_id": "5012", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{573C7F3B-9D42-5FAA-7F00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5064", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:55:50", "lastTime": "2025-12-10T04:55:50"}, {"action": "allowed", "dest": "win-dc-748.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{573C7F3B-9D42-5FAA-7D00-000000008801}", "parent_process_id": "5012", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{573C7F3B-9D42-5FAA-7F00-000000008801}", "process_hash": "null", "process_id": "5064", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:55:50", "lastTime": "2025-12-10T04:55:50"}, {"action": "allowed", "dest": "win-dc-748.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{573C7F3B-9D42-5FAA-7E00-000000008801}", "parent_process_id": "5020", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{573C7F3B-9D42-5FAA-7F00-000000008801}", "process_hash": "null", "process_id": "5064", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:55:50", "lastTime": "2025-12-10T04:55:50"}, {"action": "allowed", "dest": "win-dc-748.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{573C7F3B-9D03-5FAA-0500-000000008801}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{573C7F3B-9D42-5FAA-7F00-000000008801}", "process_hash": "null", "process_id": "5064", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:55:50", "lastTime": "2025-12-10T04:55:50"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{42D2378F-8B8F-5FB6-9B00-000000009101}", "parent_process_id": "4984", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{42D2378F-8B8F-5FB6-9D00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4824", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:14:08", "lastTime": "2025-12-10T08:14:08"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{42D2378F-8B8F-5FB6-9B00-000000009101}", "parent_process_id": "4984", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{42D2378F-8B8F-5FB6-9D00-000000009101}", "process_hash": "null", "process_id": "4824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:14:08", "lastTime": "2025-12-10T08:14:08"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{42D2378F-8B8F-5FB6-9C00-000000009101}", "parent_process_id": "4876", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{42D2378F-8B8F-5FB6-9D00-000000009101}", "process_hash": "null", "process_id": "4824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:14:08", "lastTime": "2025-12-10T08:14:08"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{B13AE1A5-6C4F-6092-5909-00000000BA01}", "parent_process_id": "6972", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B13AE1A5-6C4F-6092-5809-00000000BA01}", "process_hash": "null", "process_id": "2264", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2021-05-05T09:58:39", "lastTime": "2025-12-10T07:26:28"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{42D2378F-8B50-5FB6-0500-000000009101}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{42D2378F-8B8F-5FB6-9D00-000000009101}", "process_hash": "null", "process_id": "4824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T08:14:08", "lastTime": "2025-12-10T08:14:08"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{B13AE1A5-4D0B-6092-E204-00000000BA01}", "parent_process_id": "1268", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B13AE1A5-6C4F-6092-5809-00000000BA01}", "process_hash": "null", "process_id": "2264", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2021-05-05T09:58:39", "lastTime": "2025-12-10T07:26:28"}, {"action": "allowed", "dest": "win-dc-763.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{B13AE1A5-471A-6092-1200-00000000BA01}", "parent_process_id": "1216", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B13AE1A5-6C4F-6092-5809-00000000BA01}", "process_hash": "null", "process_id": "2264", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2021-05-05T09:58:39", "lastTime": "2025-12-10T07:26:28"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\WinrsHost.exe -Embedding", "parent_process_exec": "winrshost.exe", "parent_process_guid": "{D28789B6-7C99-5FA1-8000-000000008801}", "parent_process_id": "4372", "parent_process_name": "winrshost.exe", "parent_process_path": "C:\\Windows\\System32\\winrshost.exe", "process": "C:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7C99-5FA1-8200-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2312", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D28789B6-7CA1-5FA1-8D00-000000008801}", "parent_process_id": "4348", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7CA1-5FA1-8F00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2312", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "WinrsHost.exe", "parent_process_guid": "{D28789B6-7C99-5FA1-8000-000000008801}", "parent_process_id": "4372", "parent_process_name": "WinrsHost.exe", "parent_process_path": "C:\\Windows\\system32\\WinrsHost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7C99-5FA1-8200-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D28789B6-7CA1-5FA1-8D00-000000008801}", "parent_process_id": "4348", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7CA1-5FA1-8F00-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D28789B6-7C99-5FA1-8100-000000008801}", "parent_process_id": "5096", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7C99-5FA1-8200-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D28789B6-7CA1-5FA1-8E00-000000008801}", "parent_process_id": "2764", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7CA1-5FA1-8F00-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D28789B6-7C62-5FA1-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7C99-5FA1-8200-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-807.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D28789B6-7C62-5FA1-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D28789B6-7CA1-5FA1-8F00-000000008801}", "process_hash": "null", "process_id": "2312", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:18:56", "lastTime": "2025-12-10T07:18:56"}, {"action": "allowed", "dest": "win-dc-837.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{856D1934-DACB-6113-8600-00000000E501}", "parent_process_id": "4700", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{856D1934-DACB-6113-8800-00000000E501}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4752", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-dc-837.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{856D1934-DACB-6113-8600-00000000E501}", "parent_process_id": "4700", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{856D1934-DACB-6113-8800-00000000E501}", "process_hash": "null", "process_id": "4752", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-dc-837.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{856D1934-DACB-6113-8700-00000000E501}", "parent_process_id": "4708", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{856D1934-DACB-6113-8800-00000000E501}", "process_hash": "null", "process_id": "4752", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-dc-837.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{856D1934-DA8B-6113-0500-00000000E501}", "parent_process_id": "396", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{856D1934-DACB-6113-8800-00000000E501}", "process_hash": "null", "process_id": "4752", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{F97E5129-0C01-5F7F-C700-000000007F01}", "parent_process_id": "4840", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\"", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D600-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4996", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{F97E5129-0C01-5F7F-C700-000000007F01}", "parent_process_id": "4840", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\"", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D900-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3660", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{F97E5129-0BDF-5F7F-8400-000000007F01}", "parent_process_id": "4392", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0BDF-5F7F-8600-000000007F01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2852", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{F97E5129-0BDF-5F7F-8400-000000007F01}", "parent_process_id": "4392", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0BDF-5F7F-8600-000000007F01}", "process_hash": "null", "process_id": "2852", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{F97E5129-0BDF-5F7F-8500-000000007F01}", "parent_process_id": "3844", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0BDF-5F7F-8600-000000007F01}", "process_hash": "null", "process_id": "2852", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{F97E5129-0C00-5F7F-C000-000000007F01}", "parent_process_id": "2892", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D600-000000007F01}", "process_hash": "null", "process_id": "4996", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{F97E5129-0C00-5F7F-C000-000000007F01}", "parent_process_id": "2892", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D900-000000007F01}", "process_hash": "null", "process_id": "3660", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{F97E5129-0BA0-5F7F-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0BDF-5F7F-8600-000000007F01}", "process_hash": "null", "process_id": "2852", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{F97E5129-0BA0-5F7F-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D600-000000007F01}", "process_hash": "null", "process_id": "4996", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{F97E5129-0BA0-5F7F-0500-000000007F01}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D900-000000007F01}", "process_hash": "null", "process_id": "3660", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{F97E5129-0C01-5F7F-C700-000000007F01}", "parent_process_id": "4840", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D600-000000007F01}", "process_hash": "null", "process_id": "4996", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-8537412.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{F97E5129-0C01-5F7F-C700-000000007F01}", "parent_process_id": "4840", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{F97E5129-0C02-5F7F-D900-000000007F01}", "process_hash": "null", "process_id": "3660", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T00:48:38", "lastTime": "2025-12-10T00:48:38"}, {"action": "allowed", "dest": "win-dc-875.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{528F90B7-48DC-5FCA-9700-000000009101}", "parent_process_id": "4764", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{528F90B7-48DD-5FCA-9900-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4844", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:35:01", "lastTime": "2025-12-10T07:35:01"}, {"action": "allowed", "dest": "win-dc-875.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{528F90B7-48DC-5FCA-9700-000000009101}", "parent_process_id": "4764", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{528F90B7-48DD-5FCA-9900-000000009101}", "process_hash": "null", "process_id": "4844", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:35:01", "lastTime": "2025-12-10T07:35:01"}, {"action": "allowed", "dest": "win-dc-875.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{528F90B7-48DC-5FCA-9800-000000009101}", "parent_process_id": "4772", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{528F90B7-48DD-5FCA-9900-000000009101}", "process_hash": "null", "process_id": "4844", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:35:01", "lastTime": "2025-12-10T07:35:01"}, {"action": "allowed", "dest": "win-dc-875.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{528F90B7-489D-5FCA-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{528F90B7-48DD-5FCA-9900-000000009101}", "process_hash": "null", "process_id": "4844", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:35:01", "lastTime": "2025-12-10T07:35:01"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8057F119-2FEF-60EC-090A-00000000DB01}", "parent_process_id": "6176", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "null", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8057F119-307A-60EC-2A0A-00000000DB01}", "parent_process_id": "6640", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "null", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8057F119-3168-60EC-540A-00000000DB01}", "parent_process_id": "6280", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "null", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{8057F119-3242-60EC-7B0A-00000000DB01}", "parent_process_id": "9680", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "null", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-089E-60EC-0500-00000000DB01}", "parent_process_id": "412", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "null", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-089E-60EC-0500-00000000DB01}", "parent_process_id": "412", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "null", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-089E-60EC-0500-00000000DB01}", "parent_process_id": "412", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "null", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-089E-60EC-0500-00000000DB01}", "parent_process_id": "412", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "null", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-21B7-60EC-3B07-00000000DB01}", "parent_process_id": "5512", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "null", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-21B7-60EC-3B07-00000000DB01}", "parent_process_id": "5512", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "null", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-21B7-60EC-3B07-00000000DB01}", "parent_process_id": "5512", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "null", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{8057F119-21B7-60EC-3B07-00000000DB01}", "parent_process_id": "5512", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "null", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{8057F119-08A1-60EC-1600-00000000DB01}", "parent_process_id": "1236", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\system32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "null", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{8057F119-08A1-60EC-1600-00000000DB01}", "parent_process_id": "1236", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\system32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "null", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{8057F119-08A1-60EC-1600-00000000DB01}", "parent_process_id": "1236", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\system32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "null", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-89.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{8057F119-08A1-60EC-1600-00000000DB01}", "parent_process_id": "1236", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\system32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "null", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{466BC892-F5C8-60EB-657D-00000000CF01}", "parent_process_id": "8408", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5C8-60EB-647D-00000000CF01}", "process_hash": "null", "process_id": "9872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{466BC892-F5DD-60EB-757D-00000000CF01}", "parent_process_id": "9692", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5DC-60EB-747D-00000000CF01}", "process_hash": "null", "process_id": "4304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{466BC892-32CD-60E8-670B-00000000CF01}", "parent_process_id": "4516", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5C8-60EB-647D-00000000CF01}", "process_hash": "null", "process_id": "9872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{466BC892-32CD-60E8-670B-00000000CF01}", "parent_process_id": "4516", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5DC-60EB-747D-00000000CF01}", "process_hash": "null", "process_id": "4304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{466BC892-02AF-60E8-1400-00000000CF01}", "parent_process_id": "1028", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5C8-60EB-647D-00000000CF01}", "process_hash": "null", "process_id": "9872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-890.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{466BC892-02AF-60E8-1400-00000000CF01}", "parent_process_id": "1028", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{466BC892-F5DC-60EB-747D-00000000CF01}", "process_hash": "null", "process_id": "4304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:54", "lastTime": "2025-12-10T03:26:54"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{266CAFBE-64AA-6064-8B00-00000000AE01}", "parent_process_id": "2340", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-64AA-6064-8D00-00000000AE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4948", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{266CAFBE-64AA-6064-8B00-00000000AE01}", "parent_process_id": "2340", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-64AA-6064-8D00-00000000AE01}", "process_hash": "null", "process_id": "4948", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{266CAFBE-64AA-6064-8C00-00000000AE01}", "parent_process_id": "4416", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-64AA-6064-8D00-00000000AE01}", "process_hash": "null", "process_id": "4948", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{266CAFBE-6556-6064-2601-00000000AE01}", "parent_process_id": "1264", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-6556-6064-2501-00000000AE01}", "process_hash": "null", "process_id": "1480", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{266CAFBE-6469-6064-0500-00000000AE01}", "parent_process_id": "624", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-64AA-6064-8D00-00000000AE01}", "process_hash": "null", "process_id": "4948", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{266CAFBE-64C1-6064-9100-00000000AE01}", "parent_process_id": "5108", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-6556-6064-2501-00000000AE01}", "process_hash": "null", "process_id": "1480", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-892.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{266CAFBE-646C-6064-1300-00000000AE01}", "parent_process_id": "1228", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{266CAFBE-6556-6064-2501-00000000AE01}", "process_hash": "null", "process_id": "1480", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "allowed", "dest": "win-dc-893.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{40924FE2-219A-5FCE-9E00-000000009101}", "parent_process_id": "3552", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{40924FE2-219A-5FCE-A100-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2496", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:48:14", "lastTime": "2025-12-10T02:48:14"}, {"action": "allowed", "dest": "win-dc-893.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{40924FE2-219A-5FCE-9E00-000000009101}", "parent_process_id": "3552", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{40924FE2-219A-5FCE-A100-000000009101}", "process_hash": "null", "process_id": "2496", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:48:14", "lastTime": "2025-12-10T02:48:14"}, {"action": "allowed", "dest": "win-dc-893.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{40924FE2-219A-5FCE-9F00-000000009101}", "parent_process_id": "4100", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{40924FE2-219A-5FCE-A100-000000009101}", "process_hash": "null", "process_id": "2496", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:48:14", "lastTime": "2025-12-10T02:48:14"}, {"action": "allowed", "dest": "win-dc-893.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{40924FE2-215B-5FCE-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{40924FE2-219A-5FCE-A100-000000009101}", "process_hash": "null", "process_id": "2496", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:48:14", "lastTime": "2025-12-10T02:48:14"}, {"action": "allowed", "dest": "win-dc-906.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{410A3708-1AF5-606B-8900-00000000AE01}", "parent_process_id": "4300", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{410A3708-1AF5-606B-8B00-00000000AE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2372", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:04:53", "lastTime": "2025-12-10T07:04:53"}, {"action": "allowed", "dest": "win-dc-906.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{410A3708-1AF5-606B-8900-00000000AE01}", "parent_process_id": "4300", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{410A3708-1AF5-606B-8B00-00000000AE01}", "process_hash": "null", "process_id": "2372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:04:53", "lastTime": "2025-12-10T07:04:53"}, {"action": "allowed", "dest": "win-dc-906.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{410A3708-1AF5-606B-8A00-00000000AE01}", "parent_process_id": "4324", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{410A3708-1AF5-606B-8B00-00000000AE01}", "process_hash": "null", "process_id": "2372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:04:53", "lastTime": "2025-12-10T07:04:53"}, {"action": "allowed", "dest": "win-dc-906.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{410A3708-1AB6-606B-0500-00000000AE01}", "parent_process_id": "632", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{410A3708-1AF5-606B-8B00-00000000AE01}", "process_hash": "null", "process_id": "2372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:04:53", "lastTime": "2025-12-10T07:04:53"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAxADEAMgAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1700-5FA5-D500-000000008801}", "parent_process_id": "3048", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /t REG_EXPAND_SZ /v SecurityHealth /d calc.exe /f\"", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1701-5FA5-DC00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3452", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:29", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAxADEAMgAiACAALQBDAGwAZQBhAG4AdQBwAA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F400-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1372", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAxADEAMgAiACAALQBDAGwAZQBhAG4AdQBwAA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg delete HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v HideFileExt /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F000-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "872", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAxADEAMgAiACAALQBDAGwAZQBhAG4AdQBwAA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg delete HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v SecurityHealth /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F200-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "1296", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\WinrsHost.exe -Embedding", "parent_process_exec": "winrshost.exe", "parent_process_guid": "{D0D4CC13-1677-5FA5-0E03-000000008701}", "parent_process_id": "3960", "parent_process_name": "winrshost.exe", "parent_process_path": "C:\\Windows\\System32\\winrshost.exe", "process": "C:\\Windows\\system32\\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1677-5FA5-1003-000000008701}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4092", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:25:11", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D0D4CC13-16DB-5FA5-8500-000000008801}", "parent_process_id": "2504", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-16DC-5FA5-8700-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4092", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:26:52", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "WinrsHost.exe", "parent_process_guid": "{D0D4CC13-1677-5FA5-0E03-000000008701}", "parent_process_id": "3960", "parent_process_name": "WinrsHost.exe", "parent_process_path": "C:\\Windows\\system32\\WinrsHost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1677-5FA5-1003-000000008701}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:25:11", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{D0D4CC13-16DB-5FA5-8500-000000008801}", "parent_process_id": "2504", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-16DC-5FA5-8700-000000008801}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:26:52", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-1677-5FA5-0F03-000000008701}", "parent_process_id": "2500", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1677-5FA5-1003-000000008701}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:25:11", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-16DB-5FA5-8600-000000008801}", "parent_process_id": "2520", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-16DC-5FA5-8700-000000008801}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:26:52", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-16FF-5FA5-CE00-000000008801}", "parent_process_id": "3372", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1701-5FA5-DC00-000000008801}", "process_hash": "null", "process_id": "3452", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:29", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-1703-5FA5-E400-000000008801}", "parent_process_id": "5036", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F000-000000008801}", "process_hash": "null", "process_id": "872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-1703-5FA5-E400-000000008801}", "parent_process_id": "5036", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F200-000000008801}", "process_hash": "null", "process_id": "1296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{D0D4CC13-1703-5FA5-E400-000000008801}", "parent_process_id": "5036", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F400-000000008801}", "process_hash": "null", "process_id": "1372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-14FB-5FA5-0500-000000008701}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1677-5FA5-1003-000000008701}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:25:11", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-169C-5FA5-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-16DC-5FA5-8700-000000008801}", "process_hash": "null", "process_id": "4092", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:26:52", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-169C-5FA5-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1701-5FA5-DC00-000000008801}", "process_hash": "null", "process_id": "3452", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:29", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-169C-5FA5-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F000-000000008801}", "process_hash": "null", "process_id": "872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-169C-5FA5-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F200-000000008801}", "process_hash": "null", "process_id": "1296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{D0D4CC13-169C-5FA5-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F400-000000008801}", "process_hash": "null", "process_id": "1372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1700-5FA5-D500-000000008801}", "parent_process_id": "3048", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1701-5FA5-DC00-000000008801}", "process_hash": "null", "process_id": "3452", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2020-11-06T09:27:29", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F000-000000008801}", "process_hash": "null", "process_id": "872", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F200-000000008801}", "process_hash": "null", "process_id": "1296", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-918.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{D0D4CC13-1704-5FA5-EB00-000000008801}", "parent_process_id": "3684", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{D0D4CC13-1705-5FA5-F400-000000008801}", "process_hash": "null", "process_id": "1372", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2020-11-06T09:27:33", "lastTime": "2025-12-10T02:14:31"}, {"action": "allowed", "dest": "win-dc-919.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{172D79BE-E29E-6001-8800-00000000A301}", "parent_process_id": "4124", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{172D79BE-E29E-6001-8A00-00000000A301}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4256", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "allowed", "dest": "win-dc-919.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{172D79BE-E29E-6001-8800-00000000A301}", "parent_process_id": "4124", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{172D79BE-E29E-6001-8A00-00000000A301}", "process_hash": "null", "process_id": "4256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "allowed", "dest": "win-dc-919.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{172D79BE-E29E-6001-8900-00000000A301}", "parent_process_id": "3240", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{172D79BE-E29E-6001-8A00-00000000A301}", "process_hash": "null", "process_id": "4256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "allowed", "dest": "win-dc-919.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{172D79BE-E25E-6001-0500-00000000A301}", "parent_process_id": "640", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{172D79BE-E29E-6001-8A00-00000000A301}", "process_hash": "null", "process_id": "4256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:11:22", "lastTime": "2025-12-10T00:36:05"}, {"action": "allowed", "dest": "win-dc-92.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{185176D3-ABD7-5FD0-9700-000000009101}", "parent_process_id": "4544", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{185176D3-ABD7-5FD0-9900-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4672", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:31:06", "lastTime": "2025-12-10T02:31:06"}, {"action": "allowed", "dest": "win-dc-92.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{185176D3-ABD7-5FD0-9700-000000009101}", "parent_process_id": "4544", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{185176D3-ABD7-5FD0-9900-000000009101}", "process_hash": "null", "process_id": "4672", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:31:06", "lastTime": "2025-12-10T02:31:06"}, {"action": "allowed", "dest": "win-dc-92.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{185176D3-ABD7-5FD0-9800-000000009101}", "parent_process_id": "2356", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{185176D3-ABD7-5FD0-9900-000000009101}", "process_hash": "null", "process_id": "4672", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:31:06", "lastTime": "2025-12-10T02:31:06"}, {"action": "allowed", "dest": "win-dc-92.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{185176D3-AB97-5FD0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{185176D3-ABD7-5FD0-9900-000000009101}", "process_hash": "null", "process_id": "4672", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:31:06", "lastTime": "2025-12-10T02:31:06"}, {"action": "allowed", "dest": "win-dc-930.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{FEE103BD-7CD3-5FA1-A900-000000008801}", "parent_process_id": "4240", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{FEE103BD-7CD3-5FA1-AB00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3836", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:03:15", "lastTime": "2025-12-10T01:03:15"}, {"action": "allowed", "dest": "win-dc-930.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{FEE103BD-7CD3-5FA1-A900-000000008801}", "parent_process_id": "4240", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{FEE103BD-7CD3-5FA1-AB00-000000008801}", "process_hash": "null", "process_id": "3836", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:03:15", "lastTime": "2025-12-10T01:03:15"}, {"action": "allowed", "dest": "win-dc-930.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{FEE103BD-7CD3-5FA1-AA00-000000008801}", "parent_process_id": "3996", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{FEE103BD-7CD3-5FA1-AB00-000000008801}", "process_hash": "null", "process_id": "3836", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:03:15", "lastTime": "2025-12-10T01:03:15"}, {"action": "allowed", "dest": "win-dc-930.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{FEE103BD-7C94-5FA1-0500-000000008801}", "parent_process_id": "652", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{FEE103BD-7CD3-5FA1-AB00-000000008801}", "process_hash": "null", "process_id": "3836", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:03:15", "lastTime": "2025-12-10T01:03:15"}, {"action": "allowed", "dest": "win-dc-934.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{0309FDEB-F7EA-5FA8-7D00-000000008801}", "parent_process_id": "4960", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{0309FDEB-F7EA-5FA8-7F00-000000008801}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5012", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:16:48", "lastTime": "2025-12-10T01:16:48"}, {"action": "allowed", "dest": "win-dc-934.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{0309FDEB-F7EA-5FA8-7D00-000000008801}", "parent_process_id": "4960", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{0309FDEB-F7EA-5FA8-7F00-000000008801}", "process_hash": "null", "process_id": "5012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:16:48", "lastTime": "2025-12-10T01:16:48"}, {"action": "allowed", "dest": "win-dc-934.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{0309FDEB-F7EA-5FA8-7E00-000000008801}", "parent_process_id": "4968", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{0309FDEB-F7EA-5FA8-7F00-000000008801}", "process_hash": "null", "process_id": "5012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:16:48", "lastTime": "2025-12-10T01:16:48"}, {"action": "allowed", "dest": "win-dc-934.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{0309FDEB-F7AB-5FA8-0500-000000008801}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{0309FDEB-F7EA-5FA8-7F00-000000008801}", "process_hash": "null", "process_id": "5012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:16:48", "lastTime": "2025-12-10T01:16:48"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\Splunk.EXE\" restart --waitonpid=2428", "parent_process_exec": "splunk.exe", "parent_process_guid": "{3368E97D-BD51-5FC0-0E01-000000009101}", "parent_process_id": "4236", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "C:\\Windows\\system32\\cmd.exe /c btool server list general --no-log", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD52-5FC0-1201-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4464", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\Splunk.EXE\" restart --waitonpid=2428", "parent_process_exec": "splunk.exe", "parent_process_guid": "{3368E97D-BD51-5FC0-0E01-000000009101}", "parent_process_id": "4236", "parent_process_name": "splunk.exe", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe", "process": "C:\\Windows\\system32\\cmd.exe /c btool server list httpServerListener: --no-log", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD54-5FC0-1E01-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4032", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD31-5FC0-0001-000000009101}", "parent_process_id": "3900", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0501-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "876", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD31-5FC0-0001-000000009101}", "parent_process_id": "3900", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0701-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4464", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD2D-5FC0-E300-000000009101}", "parent_process_id": "4484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /t REG_SZ /F /D \"C:\\Path\\AtomicRedTeam.exe\"\"", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-E800-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "640", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQA1ADQANwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD2D-5FC0-E300-000000009101}", "parent_process_id": "4484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\Path\\AtomicRedTeam.dll\"\"", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-EA00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "668", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3368E97D-BD0E-5FC0-9400-000000009101}", "parent_process_id": "3416", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD0E-5FC0-9600-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4032", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "Splunk.EXE", "parent_process_guid": "{3368E97D-BD51-5FC0-0E01-000000009101}", "parent_process_id": "4236", "parent_process_name": "Splunk.EXE", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\Splunk.EXE", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD52-5FC0-1201-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "Splunk.EXE", "parent_process_guid": "{3368E97D-BD51-5FC0-0E01-000000009101}", "parent_process_id": "4236", "parent_process_name": "Splunk.EXE", "parent_process_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\Splunk.EXE", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD54-5FC0-1E01-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3368E97D-BD0E-5FC0-9400-000000009101}", "parent_process_id": "3416", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD0E-5FC0-9600-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BCE2-5FC0-4000-000000009101}", "parent_process_id": "3336", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD52-5FC0-1201-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BCE2-5FC0-4000-000000009101}", "parent_process_id": "3336", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD54-5FC0-1E01-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BD0E-5FC0-9500-000000009101}", "parent_process_id": "4216", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD0E-5FC0-9600-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BD2C-5FC0-DB00-000000009101}", "parent_process_id": "4528", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-E800-000000009101}", "process_hash": "null", "process_id": "640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BD2C-5FC0-DB00-000000009101}", "parent_process_id": "4528", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-EA00-000000009101}", "process_hash": "null", "process_id": "668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BD30-5FC0-F900-000000009101}", "parent_process_id": "3540", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0501-000000009101}", "process_hash": "null", "process_id": "876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3368E97D-BD30-5FC0-F900-000000009101}", "parent_process_id": "3540", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0701-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD0E-5FC0-9600-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-E800-000000009101}", "process_hash": "null", "process_id": "640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-EA00-000000009101}", "process_hash": "null", "process_id": "668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0501-000000009101}", "process_hash": "null", "process_id": "876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0701-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD52-5FC0-1201-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3368E97D-BCCE-5FC0-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD54-5FC0-1E01-000000009101}", "process_hash": "null", "process_id": "4032", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD2D-5FC0-E300-000000009101}", "parent_process_id": "4484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-E800-000000009101}", "process_hash": "null", "process_id": "640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD2D-5FC0-E300-000000009101}", "parent_process_id": "4484", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD2E-5FC0-EA00-000000009101}", "process_hash": "null", "process_id": "668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD31-5FC0-0001-000000009101}", "parent_process_id": "3900", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0501-000000009101}", "process_hash": "null", "process_id": "876", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-942.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{3368E97D-BD31-5FC0-0001-000000009101}", "parent_process_id": "3900", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3368E97D-BD32-5FC0-0701-000000009101}", "process_hash": "null", "process_id": "4464", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T02:27:36", "lastTime": "2025-12-10T02:27:36"}, {"action": "allowed", "dest": "win-dc-957.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A5B539DC-4588-5FB6-B800-000000009101}", "parent_process_id": "5012", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{A5B539DC-4588-5FB6-BA00-000000009101}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4952", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:45:25", "lastTime": "2025-12-10T01:45:25"}, {"action": "allowed", "dest": "win-dc-957.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A5B539DC-4588-5FB6-B800-000000009101}", "parent_process_id": "5012", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5B539DC-4588-5FB6-BA00-000000009101}", "process_hash": "null", "process_id": "4952", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:45:25", "lastTime": "2025-12-10T01:45:25"}, {"action": "allowed", "dest": "win-dc-957.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A5B539DC-4588-5FB6-B900-000000009101}", "parent_process_id": "4944", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5B539DC-4588-5FB6-BA00-000000009101}", "process_hash": "null", "process_id": "4952", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:45:25", "lastTime": "2025-12-10T01:45:25"}, {"action": "allowed", "dest": "win-dc-957.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A5B539DC-4549-5FB6-0500-000000009101}", "parent_process_id": "644", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A5B539DC-4588-5FB6-BA00-000000009101}", "process_hash": "null", "process_id": "4952", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T01:45:25", "lastTime": "2025-12-10T01:45:25"}, {"action": "allowed", "dest": "win-dc-960.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{C7A9AC19-4693-609D-8500-00000000BA01}", "parent_process_id": "4444", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{C7A9AC19-4693-609D-8700-00000000BA01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4500", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-dc-960.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{C7A9AC19-4693-609D-8500-00000000BA01}", "parent_process_id": "4444", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C7A9AC19-4693-609D-8700-00000000BA01}", "process_hash": "null", "process_id": "4500", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-dc-960.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{C7A9AC19-4693-609D-8600-00000000BA01}", "parent_process_id": "4452", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C7A9AC19-4693-609D-8700-00000000BA01}", "process_hash": "null", "process_id": "4500", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-dc-960.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{C7A9AC19-4653-609D-0500-00000000BA01}", "parent_process_id": "412", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C7A9AC19-4693-609D-8700-00000000BA01}", "process_hash": "null", "process_id": "4500", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-dc-974.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", "parent_process_exec": "powershell.exe", "parent_process_guid": "{05ADC7E1-6CB1-603E-34AA-00000000AD01}", "parent_process_id": "11696", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Administrator\\Desktop\\disable.bat\"\"", "process_exec": "cmd.exe", "process_guid": "{05ADC7E1-772B-603E-59AC-00000000AD01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "13944", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:29:59", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-974.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{05ADC7E1-6CB1-603E-35AA-00000000AD01}", "parent_process_id": "14828", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{05ADC7E1-772B-603E-59AC-00000000AD01}", "process_hash": "null", "process_id": "13944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:29:59", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-974.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{05ADC7E1-29F0-6039-C005-00000000AD01}", "parent_process_id": "4944", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{05ADC7E1-772B-603E-59AC-00000000AD01}", "process_hash": "null", "process_id": "13944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:29:59", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-974.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{05ADC7E1-6CB1-603E-34AA-00000000AD01}", "parent_process_id": "11696", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{05ADC7E1-772B-603E-59AC-00000000AD01}", "process_hash": "null", "process_id": "13944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:29:59", "lastTime": "2025-12-10T07:29:59"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"C:\\Program Files\\Npcap\\CheckStatus.bat\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3381F800-7E2A-635A-1900-000000008A02}", "parent_process_id": "2068", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\Software\\WOW6432Node\\Npcap\" /ve 2>nul | find \"REG_SZ\"", "process_exec": "cmd.exe", "process_guid": "{3381F800-7E2A-635A-1E00-000000008A02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2256", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3381F800-7E66-635A-7F00-000000008A02}", "parent_process_id": "4548", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{3381F800-7E66-635A-8100-000000008A02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "4600", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3381F800-7E2A-635A-1900-000000008A02}", "parent_process_id": "2068", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\SYSTEM32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{3381F800-7E66-635A-7F00-000000008A02}", "parent_process_id": "4548", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3381F800-7E66-635A-8100-000000008A02}", "process_hash": "null", "process_id": "4600", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3381F800-7E2A-635A-1B00-000000008A02}", "parent_process_id": "2092", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{3381F800-7E66-635A-8000-000000008A02}", "parent_process_id": "4556", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3381F800-7E66-635A-8100-000000008A02}", "process_hash": "null", "process_id": "4600", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3381F800-7E23-635A-0500-000000008A02}", "parent_process_id": "408", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2256", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{3381F800-7E23-635A-0500-000000008A02}", "parent_process_id": "408", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{3381F800-7E66-635A-8100-000000008A02}", "process_hash": "null", "process_id": "4600", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Users\\Public\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "parent_process_id": "5892", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c reg query hklm\\system\\currentcontrolset\\services", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "6240", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"cmd.exe\" /s /k pushd \"C:\\Users\\Public\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "parent_process_id": "5892", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c sc qc \"SSDPSRV\" | findstr BINARY_PATH_NAME | findstr /i /v /l /c:\"c:\\windows\\system32\" | findstr /v /c:\"\"\"\"", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "6240", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "aurora-agent.exe", "parent_process_guid": "{89C4FCAF-46C6-6387-1806-000000009402}", "parent_process_id": "5196", "parent_process_name": "aurora-agent.exe", "parent_process_path": "C:\\Program Files\\Aurora-Agent\\aurora-agent.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "null", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "18", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "parent_process_id": "5892", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "parent_process_id": "5892", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6408-000000009402}", "parent_process_id": "7016", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "null", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6408-000000009402}", "parent_process_id": "7016", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{89C4FCAF-57DF-6387-6408-000000009402}", "parent_process_id": "7016", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{89C4FCAF-46B5-6387-F305-000000009402}", "parent_process_id": "172", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "null", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{89C4FCAF-46B5-6387-F305-000000009402}", "parent_process_id": "172", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{89C4FCAF-46B5-6387-F305-000000009402}", "parent_process_id": "172", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "null", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "wmiprvse.exe", "parent_process_guid": "{89C4FCAF-4AC9-6387-B406-000000009402}", "parent_process_id": "4460", "parent_process_name": "wmiprvse.exe", "parent_process_path": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "null", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"C:\\Program Files\\Npcap\\CheckStatus.bat\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A78D3DEB-1A7C-634D-1800-000000008502}", "parent_process_id": "1980", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\Software\\WOW6432Node\\Npcap\" /ve 2>nul | find \"REG_SZ\"", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1A7D-634D-1C00-000000008502}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2148", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A78D3DEB-1AB9-634D-7D00-000000008502}", "parent_process_id": "1628", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1AB9-634D-7F00-000000008502}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3520", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "aurora-agent.exe", "parent_process_guid": "{A78D3DEB-0DF1-6349-9800-000000008302}", "parent_process_id": "5888", "parent_process_name": "aurora-agent.exe", "parent_process_path": "C:\\Program Files\\Aurora-Agent\\aurora-agent.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-13B4-6349-F101-000000008302}", "process_hash": "null", "process_id": "1208", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "43", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "aurora-agent.exe", "parent_process_guid": "{A78D3DEB-0DF1-6349-9800-000000008302}", "parent_process_id": "5888", "parent_process_name": "aurora-agent.exe", "parent_process_path": "C:\\Program Files\\Aurora-Agent\\aurora-agent.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1650-6349-5702-000000008302}", "process_hash": "null", "process_id": "5668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A78D3DEB-1A7C-634D-1800-000000008502}", "parent_process_id": "1980", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\SYSTEM32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2148", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{A78D3DEB-1AB9-634D-7D00-000000008502}", "parent_process_id": "1628", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1AB9-634D-7F00-000000008502}", "process_hash": "null", "process_id": "3520", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-13B4-6349-F201-000000008302}", "parent_process_id": "9204", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-13B4-6349-F101-000000008302}", "process_hash": "null", "process_id": "1208", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-15DD-6349-4102-000000008302}", "parent_process_id": "5436", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-15DD-6349-4002-000000008302}", "process_hash": "null", "process_id": "8888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-164B-6349-5202-000000008302}", "parent_process_id": "3200", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164B-6349-5102-000000008302}", "process_hash": "null", "process_id": "6824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-164C-6349-5502-000000008302}", "parent_process_id": "5832", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164C-6349-5402-000000008302}", "process_hash": "null", "process_id": "5108", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-1650-6349-5802-000000008302}", "parent_process_id": "7224", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1650-6349-5702-000000008302}", "process_hash": "null", "process_id": "5668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-1A7C-634D-1A00-000000008502}", "parent_process_id": "2016", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2148", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{A78D3DEB-1AB9-634D-7E00-000000008502}", "parent_process_id": "2096", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1AB9-634D-7F00-000000008502}", "process_hash": "null", "process_id": "3520", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-0DE3-6349-7E00-000000008302}", "parent_process_id": "4136", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-13B4-6349-F101-000000008302}", "process_hash": "null", "process_id": "1208", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-0DE3-6349-7E00-000000008302}", "parent_process_id": "4136", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-15DD-6349-4002-000000008302}", "process_hash": "null", "process_id": "8888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-0DE3-6349-7E00-000000008302}", "parent_process_id": "4136", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164B-6349-5102-000000008302}", "process_hash": "null", "process_id": "6824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-0DE3-6349-7E00-000000008302}", "parent_process_id": "4136", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164C-6349-5402-000000008302}", "process_hash": "null", "process_id": "5108", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-0DE3-6349-7E00-000000008302}", "parent_process_id": "4136", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1650-6349-5702-000000008302}", "process_hash": "null", "process_id": "5668", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-1A79-634D-0500-000000008502}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2148", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{A78D3DEB-1A79-634D-0500-000000008502}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-1AB9-634D-7F00-000000008502}", "process_hash": "null", "process_id": "3520", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{A78D3DEB-0DAD-6349-1100-000000008302}", "parent_process_id": "488", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-15DD-6349-4002-000000008302}", "process_hash": "null", "process_id": "8888", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{A78D3DEB-0DAD-6349-1100-000000008302}", "parent_process_id": "488", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164B-6349-5102-000000008302}", "process_hash": "null", "process_id": "6824", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{A78D3DEB-0DAD-6349-1100-000000008302}", "parent_process_id": "488", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{A78D3DEB-164C-6349-5402-000000008302}", "process_hash": "null", "process_id": "5108", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:53:49", "lastTime": "2025-12-10T04:53:49"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\rdp\\install.vbs\"", "parent_process_exec": "wscript.exe", "parent_process_guid": "{B58D6529-E907-62A1-F702-000000006102}", "parent_process_id": "6340", "parent_process_name": "wscript.exe", "parent_process_path": "C:\\Windows\\SysWOW64\\wscript.exe", "process": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\rdp\\bat.bat\" \"", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "MD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A", "process_id": "6640", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "WScript.exe", "parent_process_guid": "{B58D6529-E907-62A1-F702-000000006102}", "parent_process_id": "6340", "parent_process_name": "WScript.exe", "parent_process_path": "C:\\Windows\\SysWOW64\\WScript.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "null", "process_id": "6640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{B58D6529-E907-62A1-0003-000000006102}", "parent_process_id": "6620", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "null", "process_id": "6640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{B58D6529-E481-62A1-C800-000000006102}", "parent_process_id": "2196", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "null", "process_id": "6640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{B58D6529-E26D-62A1-1300-000000006102}", "parent_process_id": "340", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "null", "process_id": "6640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "taskhostw.exe", "parent_process_guid": "{B58D6529-E907-62A1-FA02-000000006102}", "parent_process_id": "6408", "parent_process_name": "taskhostw.exe", "parent_process_path": "C:\\Programdata\\RealtekHD\\taskhostw.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{B58D6529-E907-62A1-FF02-000000006102}", "process_hash": "null", "process_id": "6640", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\SysWOW64\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:35:20", "lastTime": "2026-01-23T22:13:24"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{C64CDE3E-2D41-6227-9907-000000003602}", "parent_process_id": "5448", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C64CDE3E-2D41-6227-9807-000000003602}", "process_hash": "null", "process_id": "2360", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:17:37", "lastTime": "2025-12-10T02:08:59"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{C64CDE3E-2D66-6227-AB07-000000003602}", "parent_process_id": "4216", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C64CDE3E-2D66-6227-AA07-000000003602}", "process_hash": "null", "process_id": "6916", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:18:14", "lastTime": "2025-12-10T02:08:59"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{C64CDE3E-200C-6227-FA01-000000003602}", "parent_process_id": "3796", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C64CDE3E-2D41-6227-9807-000000003602}", "process_hash": "null", "process_id": "2360", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:17:37", "lastTime": "2025-12-10T02:08:59"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{C64CDE3E-200C-6227-FA01-000000003602}", "parent_process_id": "3796", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{C64CDE3E-2D66-6227-AA07-000000003602}", "process_hash": "null", "process_id": "6916", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:18:14", "lastTime": "2025-12-10T02:08:59"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7942A313-ECE7-61FC-A302-000000002D02}", "parent_process_id": "7268", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg delete \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /f >nul 2>&1\"", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE9-61FC-A902-000000002D02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "7644", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7942A313-ECE3-61FC-9202-000000002D02}", "parent_process_id": "6300", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "\"C:\\Windows\\system32\\cmd.exe\" /c \"reg add \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /v \"Atomic Red Team\" /d \"C:\\Path\\AtomicRedTeam.dll\" /t REG_SZ\"", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE5-61FC-9702-000000002D02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "7348", "process_integrity_level": "high", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "Administrator", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7942A313-ECE1-61FC-8B02-000000002D02}", "parent_process_id": "7516", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE5-61FC-9702-000000002D02}", "process_hash": "null", "process_id": "7348", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7942A313-ECE5-61FC-9B02-000000002D02}", "parent_process_id": "7072", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE9-61FC-A902-000000002D02}", "process_hash": "null", "process_id": "7644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7942A313-E057-61FC-0500-000000002D02}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE5-61FC-9702-000000002D02}", "process_hash": "null", "process_id": "7348", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7942A313-E057-61FC-0500-000000002D02}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE9-61FC-A902-000000002D02}", "process_hash": "null", "process_id": "7644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7942A313-ECE3-61FC-9202-000000002D02}", "parent_process_id": "6300", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE5-61FC-9702-000000002D02}", "process_hash": "null", "process_id": "7348", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-492.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "powershell.exe", "parent_process_guid": "{7942A313-ECE7-61FC-A302-000000002D02}", "parent_process_id": "7268", "parent_process_name": "powershell.exe", "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7942A313-ECE9-61FC-A902-000000002D02}", "process_hash": "null", "process_id": "7644", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-10T06:59:22", "lastTime": "2025-12-10T06:59:22"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{328C47E9-4599-621F-1908-000000003602}", "parent_process_id": "6964", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{328C47E9-4599-621F-1808-000000003602}", "process_hash": "null", "process_id": "1940", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:23:21", "lastTime": "2025-12-09T22:32:31"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{328C47E9-38F4-621F-1506-000000003602}", "parent_process_id": "3948", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{328C47E9-4599-621F-1808-000000003602}", "process_hash": "null", "process_id": "1940", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:23:21", "lastTime": "2025-12-09T22:32:31"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{328C47E9-32BE-621F-1300-000000003602}", "parent_process_id": "956", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{328C47E9-4599-621F-1808-000000003602}", "process_hash": "null", "process_id": "1940", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:23:21", "lastTime": "2025-12-09T22:32:31"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-72.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{15964E91-152C-620E-EF07-000000003602}", "parent_process_id": "5268", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{15964E91-152C-620E-EE07-000000003602}", "process_hash": "null", "process_id": "5924", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-02-17T09:28:12", "lastTime": "2025-12-10T02:12:30"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-72.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{15964E91-0B49-620E-4B06-000000003602}", "parent_process_id": "2436", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{15964E91-152C-620E-EE07-000000003602}", "process_hash": "null", "process_id": "5924", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-02-17T09:28:12", "lastTime": "2025-12-10T02:12:30"}, {"action": "allowed", "dest": "win-dc-tcontreras-attack-range-72.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{15964E91-0551-620E-1300-000000003602}", "parent_process_id": "664", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{15964E91-152C-620E-EE07-000000003602}", "process_hash": "null", "process_id": "5924", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-02-17T09:28:12", "lastTime": "2025-12-10T02:12:30"}, {"action": "allowed", "dest": "win-host-522", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E22C7671-DC9F-6113-7900-00000000E601}", "parent_process_id": "3988", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{E22C7671-DC9F-6113-7B00-00000000E601}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2980", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-host-522", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E22C7671-DC9F-6113-7900-00000000E601}", "parent_process_id": "3988", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E22C7671-DC9F-6113-7B00-00000000E601}", "process_hash": "null", "process_id": "2980", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-host-522", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E22C7671-DC9F-6113-7A00-00000000E601}", "parent_process_id": "2964", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E22C7671-DC9F-6113-7B00-00000000E601}", "process_hash": "null", "process_id": "2980", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-host-522", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E22C7671-DC61-6113-0500-00000000E601}", "parent_process_id": "400", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E22C7671-DC9F-6113-7B00-00000000E601}", "process_hash": "null", "process_id": "2980", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "allowed", "dest": "win-host-542.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{69CF5F33-18D7-6154-6E00-00000000FE01}", "parent_process_id": "2544", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{69CF5F33-18D7-6154-7000-00000000FE01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3304", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-host-542.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{69CF5F33-18D7-6154-6E00-00000000FE01}", "parent_process_id": "2544", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{69CF5F33-18D7-6154-7000-00000000FE01}", "process_hash": "null", "process_id": "3304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-host-542.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{69CF5F33-18D7-6154-6F00-00000000FE01}", "parent_process_id": "3168", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{69CF5F33-18D7-6154-7000-00000000FE01}", "process_hash": "null", "process_id": "3304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-host-542.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{69CF5F33-1898-6154-0500-00000000FE01}", "parent_process_id": "420", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{69CF5F33-18D7-6154-7000-00000000FE01}", "process_hash": "null", "process_id": "3304", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:35:43", "lastTime": "2025-12-10T04:35:43"}, {"action": "allowed", "dest": "win-host-8.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E592D445-2C68-5FA9-7300-000000008901}", "parent_process_id": "3384", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{E592D445-2C68-5FA9-7500-000000008901}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3556", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-host-8.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{E592D445-2C68-5FA9-7300-000000008901}", "parent_process_id": "3384", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E592D445-2C68-5FA9-7500-000000008901}", "process_hash": "null", "process_id": "3556", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-host-8.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{E592D445-2C68-5FA9-7400-000000008901}", "parent_process_id": "3904", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E592D445-2C68-5FA9-7500-000000008901}", "process_hash": "null", "process_id": "3556", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-host-8.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{E592D445-2C2A-5FA9-0500-000000008901}", "parent_process_id": "648", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{E592D445-2C68-5FA9-7500-000000008901}", "process_hash": "null", "process_id": "3556", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T23:13:52", "lastTime": "2025-12-10T00:38:35"}, {"action": "allowed", "dest": "win-host-977.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{61981517-E70C-60C1-7800-00000000C501}", "parent_process_id": "2532", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{61981517-E70C-60C1-7A00-00000000C501}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3232", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-host-977.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{61981517-E70C-60C1-7800-00000000C501}", "parent_process_id": "2532", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{61981517-E70C-60C1-7A00-00000000C501}", "process_hash": "null", "process_id": "3232", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-host-977.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{61981517-E70C-60C1-7900-00000000C501}", "parent_process_id": "3060", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{61981517-E70C-60C1-7A00-00000000C501}", "process_hash": "null", "process_id": "3232", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-host-977.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{61981517-E6CE-60C1-0500-00000000C501}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{61981517-E70C-60C1-7A00-00000000C501}", "process_hash": "null", "process_id": "3232", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "allowed", "dest": "win-host-979.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{33D466E7-4892-609D-7800-00000000BB01}", "parent_process_id": "2492", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{33D466E7-4892-609D-7A00-00000000BB01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3784", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-host-979.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{33D466E7-4892-609D-7800-00000000BB01}", "parent_process_id": "2492", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{33D466E7-4892-609D-7A00-00000000BB01}", "process_hash": "null", "process_id": "3784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-host-979.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{33D466E7-4892-609D-7900-00000000BB01}", "parent_process_id": "2932", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{33D466E7-4892-609D-7A00-00000000BB01}", "process_hash": "null", "process_id": "3784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-host-979.attackrange.local", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{33D466E7-4853-609D-0500-00000000BB01}", "parent_process_id": "408", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{33D466E7-4892-609D-7A00-00000000BB01}", "process_hash": "null", "process_id": "3784", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\SYSTEM32\\cmd.exe /c \"C:\\Program Files\\Npcap\\CheckStatus.bat\"", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5C0BDE06-1A79-634D-1900-000000008502}", "parent_process_id": "1788", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\Software\\WOW6432Node\\Npcap\" /ve 2>nul | find \"REG_SZ\"", "process_exec": "cmd.exe", "process_guid": "{5C0BDE06-1A7A-634D-2800-000000008502}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "2812", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5C0BDE06-1AB5-634D-7600-000000008502}", "parent_process_id": "3700", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{5C0BDE06-1AB6-634D-7800-000000008502}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3892", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5C0BDE06-1A79-634D-1900-000000008502}", "parent_process_id": "1788", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\SYSTEM32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2812", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{5C0BDE06-1AB5-634D-7600-000000008502}", "parent_process_id": "3700", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5C0BDE06-1AB6-634D-7800-000000008502}", "process_hash": "null", "process_id": "3892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5C0BDE06-1A79-634D-1B00-000000008502}", "parent_process_id": "1872", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2812", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{5C0BDE06-1AB5-634D-7700-000000008502}", "parent_process_id": "3720", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5C0BDE06-1AB6-634D-7800-000000008502}", "process_hash": "null", "process_id": "3892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5C0BDE06-1A77-634D-0500-000000008502}", "parent_process_id": "424", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{00000000-0000-0000-0000-000000000000}", "process_hash": "null", "process_id": "2812", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-17", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{5C0BDE06-1A77-634D-0500-000000008502}", "parent_process_id": "424", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{5C0BDE06-1AB6-634D-7800-000000008502}", "process_hash": "null", "process_id": "3892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-276", "original_file_name": "Cmd.Exe", "parent_process": "C:\\Windows\\system32\\cmd.exe /d /c C:\\Windows\\system32\\silcollector.cmd configure", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7C68B4B2-7E34-635A-6C00-000000008B02}", "parent_process_id": "3584", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "process": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64", "process_exec": "cmd.exe", "process_guid": "{7C68B4B2-7E34-635A-6E00-000000008B02}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "3696", "process_integrity_level": "system", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "SYSTEM", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-276", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "cmd.exe", "parent_process_guid": "{7C68B4B2-7E34-635A-6C00-000000008B02}", "parent_process_id": "3584", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\system32\\cmd.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7C68B4B2-7E34-635A-6E00-000000008B02}", "process_hash": "null", "process_id": "3696", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-276", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{7C68B4B2-7E34-635A-6D00-000000008B02}", "parent_process_id": "3576", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7C68B4B2-7E34-635A-6E00-000000008B02}", "process_hash": "null", "process_id": "3696", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-276", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{7C68B4B2-7DF6-635A-0500-000000008B02}", "parent_process_id": "416", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{7C68B4B2-7E34-635A-6E00-000000008B02}", "process_hash": "null", "process_id": "3696", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{223CB5FF-7B57-6442-3603-00000000DD02}", "parent_process_id": "7028", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B57-6442-3503-00000000DD02}", "process_hash": "null", "process_id": "7012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:31", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{223CB5FF-7B90-6442-5003-00000000DD02}", "parent_process_id": "3000", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B90-6442-4F03-00000000DD02}", "process_hash": "null", "process_id": "2944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:03:28", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{223CB5FF-7BEE-6442-6203-00000000DD02}", "parent_process_id": "6956", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7BEE-6442-6103-00000000DD02}", "process_hash": "null", "process_id": "6272", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:02", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "conhost.exe", "parent_process_guid": "{223CB5FF-7C2E-6442-7C03-00000000DD02}", "parent_process_id": "2212", "parent_process_name": "conhost.exe", "parent_process_path": "C:\\Windows\\system32\\conhost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7C2E-6442-7B03-00000000DD02}", "process_hash": "null", "process_id": "6648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{223CB5FF-7189-6442-5701-00000000DD02}", "parent_process_id": "2864", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B57-6442-3503-00000000DD02}", "process_hash": "null", "process_id": "7012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:31", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{223CB5FF-7189-6442-5701-00000000DD02}", "parent_process_id": "2864", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B90-6442-4F03-00000000DD02}", "process_hash": "null", "process_id": "2944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:03:28", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{223CB5FF-7189-6442-5701-00000000DD02}", "parent_process_id": "2864", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7BEE-6442-6103-00000000DD02}", "process_hash": "null", "process_id": "6272", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:02", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "csrss.exe", "parent_process_guid": "{223CB5FF-7189-6442-5701-00000000DD02}", "parent_process_id": "2864", "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\system32\\csrss.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7C2E-6442-7B03-00000000DD02}", "process_hash": "null", "process_id": "6648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{223CB5FF-6DE2-6442-1200-00000000DD02}", "parent_process_id": "104", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B57-6442-3503-00000000DD02}", "process_hash": "null", "process_id": "7012", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:31", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{223CB5FF-6DE2-6442-1200-00000000DD02}", "parent_process_id": "104", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7B90-6442-4F03-00000000DD02}", "process_hash": "null", "process_id": "2944", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:03:28", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{223CB5FF-6DE2-6442-1200-00000000DD02}", "parent_process_id": "104", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7BEE-6442-6103-00000000DD02}", "process_hash": "null", "process_id": "6272", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:02", "lastTime": "2025-12-09T22:54:57"}, {"action": "allowed", "dest": "win-host-ctus-attack-range-328", "original_file_name": "unknown", "parent_process": "unknown", "parent_process_exec": "svchost.exe", "parent_process_guid": "{223CB5FF-6DE2-6442-1200-00000000DD02}", "parent_process_id": "104", "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{223CB5FF-7C2E-6442-7B03-00000000DD02}", "process_hash": "null", "process_id": "6648", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\system32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "CmdExt.DLL", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5F", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "CmdExt.DLL", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5F", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "CmdExt.DLL", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5F", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "CmdExt.DLL", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5F", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "advapi32.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EA", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "advapi32.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EA", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "advapi32.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EA", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "advapi32.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EA", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "rpcrt4.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8E", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "rpcrt4.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8E", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "rpcrt4.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8E", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "rpcrt4.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8E", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "sechost.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-2FEF-60EC-080A-00000000DB01}", "process_hash": "MD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40", "process_id": "7540", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "sechost.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-307A-60EC-290A-00000000DB01}", "process_hash": "MD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40", "process_id": "9004", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "sechost.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3168-60EC-530A-00000000DB01}", "process_hash": "MD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40", "process_id": "7076", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-89.attackrange.local", "original_file_name": "sechost.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{8057F119-3242-60EC-7A0A-00000000DB01}", "process_hash": "MD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40", "process_id": "9356", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:26:24", "lastTime": "2025-12-10T03:26:24"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Cmd.Exe", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "CmdExt.DLL", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5F", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EF", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EF", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "Kernelbase.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EF", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "advapi32.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "kernel32", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "msvcrt.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAF", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-586E-6387-480B-000000009402}", "process_hash": "MD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "ntdll.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-589C-6387-7412-000000009402}", "process_hash": "MD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000", "process_id": "6240", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "rpcrt4.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}, {"action": "success", "dest": "win-dc-ctus-attack-range-657.attackrange.local", "original_file_name": "sechost.dll", "parent_process": "unknown", "parent_process_exec": "null", "parent_process_guid": "null", "parent_process_id": "null", "parent_process_name": "unknown", "parent_process_path": "null", "process": "unknown", "process_exec": "cmd.exe", "process_guid": "{89C4FCAF-57DF-6387-6308-000000009402}", "process_hash": "MD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40", "process_id": "5892", "process_integrity_level": "null", "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "user": "unknown", "user_id": "null", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:21:23", "lastTime": "2025-12-09T22:21:23"}], "error": null} +{"file_name": "windows_modify_registry_authenticationleveloverride.yml", "description": "The following analytic detects modifications to the Windows registry key \"AuthenticationLevelOverride\" within the Terminal Server Client settings. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry value is set to 0x00000000. This activity is significant as it may indicate an attempt to override authentication levels for remote connections, a tactic used by DarkGate malware for malicious installations. If confirmed malicious, this could allow attackers to gain unauthorized remote access, potentially leading to data exfiltration or further system compromise.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Server Client\\\\AuthenticationLevelOverride\" Registry.registry_value_data = 0x00000000 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_authenticationleveloverride_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-24F0-655F-3B04-000000002903}", "process_id": "4464", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Terminal Server Client\\AuthenticationLevelOverride", "registry_key_name": "Terminal Server Client", "registry_value_data": "0x00000000", "registry_value_name": "AuthenticationLevelOverride", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T10:09:52", "lastTime": "2023-11-23T10:09:52"}], "error": null} +{"file_name": "disable_security_logs_using_minint_registry.yml", "description": "The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the \"Control\\\\MiniNt\" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-676.attackrange.local", "process_guid": "{6EDEAD03-1101-615C-0007-00000000FB01}", "process_id": "1492", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\MiniNt\\(Default)", "registry_key_name": "MiniNt", "registry_value_data": "(Empty)", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2021-10-05T08:46:57", "lastTime": "2025-12-10T02:09:30"}], "error": null} +{"file_name": "windows_snake_malware_registry_modification_wav_openwithprogids.yml", "description": "The following analytic identifies modifications to the registry path .wav\\\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.", "spl_query": "| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\.wav\\\\OpenWithProgIds\\\\*\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`", "results": [{"action": "modified", "dest": "mswin-server.attackrange.local", "process_guid": "{EF490992-8FFB-645A-7087-00000000CE02}", "process_id": "7068", "registry_hive": "null", "registry_path": "HKCR\\.wav\\OpenWithProgIds\\AtomicSnake", "registry_key_name": "OpenWithProgIds", "registry_value_data": "Binary Data", "registry_value_name": "AtomicSnake", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-05-10T16:03:44", "lastTime": "2023-05-10T16:03:44"}, {"action": "modified", "dest": "mswin-server.attackrange.local", "process_guid": "{EF490992-C0A1-645B-A0A1-00000000CE02}", "process_id": "8464", "registry_hive": "null", "registry_path": "HKCR\\.wav\\OpenWithProgIds\\AtomicSnake", "registry_key_name": "OpenWithProgIds", "registry_value_data": "Binary Data", "registry_value_name": "AtomicSnake", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2023-05-10T16:04:49", "lastTime": "2025-12-09T22:20:51"}, {"action": "modified", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-CBBD-6140-CEBF-01000000F001}", "process_id": "8084", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2453051693-1864363570-3931539573-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids\\WMP11.AssocFile.WAV", "registry_key_name": "OpenWithProgids", "registry_value_data": "Binary Data", "registry_value_name": "WMP11.AssocFile.WAV", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:50:18", "lastTime": "2025-12-10T04:50:18"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "process_guid": "{A78D3DEB-1AE9-634D-9A00-000000008502}", "process_id": "4876", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2101601273-3326142395-4157521269-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.wav\\OpenWithProgids\\WMP11.AssocFile.WAV", "registry_key_name": "OpenWithProgids", "registry_value_data": "Binary Data", "registry_value_name": "WMP11.AssocFile.WAV", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}], "error": null} +{"file_name": "windows_modify_registry_risk_behavior.yml", "description": "The following analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected. It leverages data from the Risk data model in Splunk, focusing on registry-related sources and MITRE technique annotations. This activity is significant because multiple registry modifications can indicate an attempt to persist, hide malicious configurations, or erase forensic evidence. If confirmed malicious, this behavior could allow attackers to maintain persistent access, execute malicious code, and evade detection, posing a severe threat to the integrity and security of the affected host.", "spl_query": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN (\"*registry*\") All_Risk.annotations.mitre_attack.mitre_technique_id IN (\"*T1112*\") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 3 | `windows_modify_registry_risk_behavior_filter`", "results": [], "error": "Search job failed"} +{"file_name": "windows_modify_show_compress_color_and_info_tip_registry.yml", "description": "The following analytic detects suspicious modifications to the Windows registry keys related to file compression color and information tips. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the \"ShowCompColor\" and \"ShowInfoTip\" values under the \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\" path. This activity is significant as it was observed in the Hermetic Wiper malware, indicating potential malicious intent to alter file attributes and user interface elements. If confirmed malicious, this could signify an attempt to manipulate file visibility and deceive users, potentially aiding in further malicious activities.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-19\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowCompColor", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-19\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowInfoTip", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-20\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowCompColor", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-20\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowInfoTip", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-795933930-2430943309-2786954947-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowCompColor", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-478.attackrange.local", "process_guid": "{414E8EDF-CABB-6218-F103-000000003702}", "process_id": "6068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-795933930-2430943309-2786954947-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowInfoTip", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:32:01", "lastTime": "2025-12-09T22:32:01"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "process_guid": "{328C47E9-4599-621F-1A08-000000003602}", "process_id": "3352", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-255986400-45527644-2136164048-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowCompColor", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:23:21", "lastTime": "2025-12-09T22:32:31"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-682.attackrange.local", "process_guid": "{328C47E9-4599-621F-1B08-000000003602}", "process_id": "7380", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-255986400-45527644-2136164048-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowInfoTip", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-02T10:23:21", "lastTime": "2025-12-09T22:32:31"}], "error": null} +{"file_name": "windows_modify_registry_proxyserver.yml", "description": "The following analytic detects modifications to the Windows registry key for setting up a proxy server. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the \"Internet Settings\\\\ProxyServer\" registry path. This activity is significant as it can indicate malware or adversaries configuring a proxy to facilitate unauthorized communication with Command and Control (C2) servers. If confirmed malicious, this could allow attackers to establish persistent, covert channels for data exfiltration or further exploitation of the compromised host.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyServer\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyserver_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1075-655F-ED01-000000002903}", "process_id": "4440", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "proxy.example.com:8080", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T08:42:29", "lastTime": "2023-11-23T08:42:29"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1480-655F-5602-000000002903}", "process_id": "2280", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "proxy.example.com:8080", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "12", "firstTime": "2023-11-23T08:59:46", "lastTime": "2023-11-23T09:00:04"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6B02-000000002903}", "process_id": "3200", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "proxy.example.com:8080", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6C02-000000002903}", "process_id": "4884", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "proxy.example.com:8080", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6F02-000000002903}", "process_id": "3476", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "proxy.example.com:8080", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7A34-60FE-867E-00000000E601}", "process_id": "5112", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "6", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7A69-60FE-937E-00000000E601}", "process_id": "3552", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7CBC-60FE-EC7E-00000000E601}", "process_id": "6956", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7CF1-60FE-FE7E-00000000E601}", "process_id": "7912", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7D00-60FE-037F-00000000E601}", "process_id": "592", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7D28-60FE-0D7F-00000000E601}", "process_id": "6052", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-983B-60FE-6482-00000000E601}", "process_id": "5928", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-983C-60FE-6582-00000000E601}", "process_id": "7760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}, {"action": "modified", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-9A2B-60FE-A482-00000000E601}", "process_id": "4072", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer", "registry_key_name": "Internet Settings", "registry_value_data": "http=127.0.0.1:8888;https=127.0.0.1:8888", "registry_value_name": "ProxyServer", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T21:49:58", "lastTime": "2025-12-09T22:36:37"}], "error": null} +{"file_name": "windows_modify_registry_valleyrat_c2_config.yml", "description": "The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware\u2019s ability to exfiltrate data or control infected systems.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Console\\\\IpDateInfo\" AND Registry.registry_value_data=\"Binary Data\") OR (Registry.registry_path= \"*\\\\Console\\\\SelfPath\" AND Registry.registry_value_data=\"*.exe\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_valleyrat_c2_config_filter`", "results": [{"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-01d8-66df-9203-000000009402}", "process_id": "6816", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500\\Console\\IpDateInfo", "registry_key_name": "Console", "registry_value_data": "Binary Data", "registry_value_name": "IpDateInfo", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-0d46-66df-cd04-000000009402}", "process_id": "4740", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500\\Console\\IpDateInfo", "registry_key_name": "Console", "registry_value_data": "Binary Data", "registry_value_name": "IpDateInfo", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}, {"action": "modified", "dest": "testlab-win-dc.attackrange.local", "process_guid": "{35cd7c13-0d46-66df-cd04-000000009402}", "process_id": "4740", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-575361180-676758524-1812873886-500\\Console\\SelfPath", "registry_key_name": "Console", "registry_value_data": "C:\\Temp\\valleyrat.exe", "registry_value_name": "SelfPath", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2"}], "error": null} +{"file_name": "windows_new_inprocserver32_added.yml", "description": "The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`", "results": [{"registry_path": "HKCR\\CLSID\\{00000000-1234-1234-1234-000000000000}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\bob\\MICROS~1\\FORMS\\PINVOKE~1.HEL\\hello.dll", "dest": "ar-win-2.attackrange.local", "process_guid": "{6B7A8EA0-07C7-65FB-004B-030000000F03}", "user": "Administrator", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0017860B-369C-4F12-84E3-F7A20EE54EFB}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\IEAWSDC.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{08728914-3F57-4D52-9E31-49DAECA5A80A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{10964DDD-6A53-4C60-917F-7B5723014344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MAPISHELL.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{15834F0C-3168-48CA-BAE0-65201FFF0B1C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-CD5B-6006-7C07-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll", "dest": "win-dc-480.attackrange.local", "process_guid": "{2CC55DE6-7028-5FB6-0000-0010D1BB2400}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-9458-6005-2C05-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7CBC-60FE-E87E-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{195B4D07-3DE2-4744-BBF2-D90121AE785B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\"%%ProgramData%%\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\DefenderCSP.dll\"", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1D83A8B4-A348-425C-A0BB-6AA53CB87BBD}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-721.attackrange.local", "process_guid": "{EAEF4273-2417-60BE-1200-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-128.attackrange.local", "process_guid": "{3BF36828-4B39-61E8-1100-00000000CF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\141.0.3537.99\\BHO\\ie_to_edge_bho_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-14c6-6902-cc01-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\Office16\\OUTLCTL.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\"%%ProgramData%%\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MpOav.dll\"", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{2A36ADCC-AABF-4EC4-996E-821AAFB0CA1B}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1300-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MPUXAGENT.DLL", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MPUXAGENT.DLL", "dest": "soc101win11", "process_guid": "{8223a6b9-158a-6902-3a02-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{2EF44DE8-80C9-42D9-8541-F40EF0862FA3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OCHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3213CD15-4DF2-415F-83F2-9FC58F3AEB3A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3522D7AF-4617-4237-AAD8-5860231FC9BA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{36383E77-35C2-4B45-8277-329E4BEDF47F}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthProxyStub.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3886CA90-AB09-49D1-A047-7A62D096D275}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\141.0.3537.99\\PdfPreview\\PdfPreviewHandler.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-14c6-6902-cc01-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A0-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3BE786A2-0366-4F5C-9434-25CF162E475F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEOLEDB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3CD3CA1E-2232-4BBF-A733-18B700409DA0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3F88CBF8-689B-4FDB-8254-22A54FCF97DD}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-96.attackrange.local", "process_guid": "{BEA10069-D0C2-6086-1100-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\MSGFILT.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileCoAuthLib64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileCoAuthLib64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{45F2C32F-ED16-4C94-8493-D72EF93A051B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{4693FF15-B962-420A-9E5D-176F7D4B8321}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{46E31370-3F7A-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4795051A-6429-4D63-BCA0-D706532954AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIE.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4C599241-6926-101B-9992-00000B65C6F9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mapi32.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MPUXAGENT.DLL", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\MPUXAGENT.DLL", "dest": "soc101win11", "process_guid": "{8223a6b9-158a-6902-3a02-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{581C6708-9AF3-45F6-810F-6C7447E699B8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-932.attackrange.local", "process_guid": "{42DC5269-CE99-6086-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A1DCFD3-7982-48F2-8A3D-5C35272862DE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MsoAdfPs.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFPROXY.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5E90CC8B-E402-4350-82D7-996E92010608}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{5FFAB5C8-9A36-4B65-9FC6-FB69F451F99C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{681D6F09-37AD-46F4-A612-725A53A72589}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{68EE3552-3226-48A8-8D9C-CAF218FAA874}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-982.attackrange.local", "process_guid": "{761B69BB-818C-607D-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6E182020-F460-11CE-9BCD-00AA00608E01}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EBE30C7-FB56-4A46-89E5-A8BF7EA5A292}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1300-00000000CF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7808D8CD-FEB3-4EA0-88FE-FC6909634FC2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1001-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7808D8CD-FEB3-4EA0-88FE-FC6909634FC2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1101-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7808D8CD-FEB3-4EA0-88FE-FC6909634FC2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1365-6902-1201-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{787A2D6B-EF66-488D-A303-513C9C75C344}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{849F5497-5C61-4023-8E10-A28F1A8C6A70}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{86F56B7F-A81B-478d-B231-50FD37CBE761}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{88866959-07B0-4ED8-8EF5-54BC7443D28C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{8E67B5C5-BAD3-4263-9F80-F769D50884F7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{91F83570-7900-4F39-B691-4E1444A1DA00}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-721.attackrange.local", "process_guid": "{EAEF4273-2417-60BE-1200-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9432194C-DF54-4824-8E24-B013BF2B90E3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{97A2762C-403C-4953-A121-7A75ABCE4373}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9BDAC276-BE24-4F04-BB22-11469B28A496}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1001-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1101-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1365-6902-1201-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{9F9F77EA-17B8-416F-936D-9E593DDCC5A6}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-128.attackrange.local", "process_guid": "{3BF36828-DD0D-60DD-1300-00000000C801}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A1BD40BB-7563-461C-9124-B0E901BCD669}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-932.attackrange.local", "process_guid": "{42DC5269-CE99-6086-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1001-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-1101-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine_64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1365-6902-1201-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\"%%ProgramData%%\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\ProtectionManagement.dll\"", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{A8DB28C7-E36C-4978-8C0B-F0365751AB31}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoxev.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B41DB860-64E4-11D2-9906-E49FADC173CA}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\WinRAR\\rarext.dll", "dest": "win-dc-233.attackrange.local", "process_guid": "{D419E45B-F54A-60B8-2F51-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\141.0.3537.99\\EBWebView\\x64\\EmbeddedBrowserWebView.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-14c6-6902-cc01-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\TecProxy.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "4"}, {"registry_path": "HKCR\\CLSID\\{B8A3CFD8-6F13-4B39-8FE9-0CA01EF372E0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\TecProxy.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "4"}, {"registry_path": "HKCR\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONFILTER.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{C8DFF91D-B243-4797-BAE6-C461B65EDED3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D14EAFD4-0342-4F4C-B5C1-0CB79E2D0B75}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\ACEDAO.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D66DC78C-4F61-447F-942B-3FB6980118CF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\VISSHE.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{D7053240-CE69-11CD-A777-00DD01143C57}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DBF393FC-230C-46CC-8A85-E9C599A81EFB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA8D857-1A63-4045-8F36-8809EB093D04}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll", "dest": "win-dc-397.attackrange.local", "process_guid": "{E983936C-CD5B-6006-7D07-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA8D857-1A63-4045-8F36-8809EB093D04}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll", "dest": "win-dc-480.attackrange.local", "process_guid": "{2CC55DE6-7029-5FB6-0000-00107EBE2400}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA8D857-1A63-4045-8F36-8809EB093D04}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll", "dest": "win-dc-495.attackrange.local", "process_guid": "{59A5CD1D-9458-6005-2D05-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DCA8D857-1A63-4045-8F36-8809EB093D04}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7CBC-60FE-E77E-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Tec.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "4"}, {"registry_path": "HKCR\\CLSID\\{DDE944C8-1C10-46AA-BF25-B8BAE99F2F64}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Tec.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "4"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{DF0C5B26-A2D5-49A7-AFC5-9A09CCD20D7C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ABCFE62-842F-603E-1300-00000000AD01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E041C90B-68BA-42C9-991E-477B73A75C90}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\ODFFILT.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthSSO.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E476E4C0-409C-43CD-BBC0-5905B4138494}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.29429.1000-0\\SecurityHealthAgent.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1335-6902-d700-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{E9729012-8271-4e1f-BC56-CF85F914915A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EBA37D0F-AAF3-43AB-9A19-355453048EDE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-982.attackrange.local", "process_guid": "{761B69BB-818C-607D-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Windows\\system32\\dxdiagn.dll", "dest": "win-dc-970.attackrange.local", "process_guid": "{CBEA6AB7-780D-6197-DB9E-000000000E02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Windows\\system32\\dxdiagn.dll", "dest": "win-dc-970.attackrange.local", "process_guid": "{CBEA6AB7-782A-6197-E39E-000000000E02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\amd64\\FileSyncShell64.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F25728CC-6DE5-46DE-B1F1-3A701E1B200C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-987.attackrange.local", "process_guid": "{B81B27B7-1E7A-61BA-1200-00000000CD01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F8E61EDD-EA25-484e-AC8A-7447F2AAE2A9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "15"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Filters\\OFFFILTX.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "5"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EAF3-607E-6E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6E00-613B-E006-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7685-60FE-027A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-564B-60F5-C908-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1B39-606F-1369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B403-63D3-B103-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\Root\\VFS\\System\\FM20.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9C33-63CF-3E01-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\CLSID\\{a6a2383f-ad50-4d52-8110-3508275e77f7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\Office16\\UCADDIN.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{000D0E00-0000-0000-C000-000000001157}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{0017860B-369C-4F12-84E3-F7A20EE54EFB}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\IEAWSDC.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{07B06095-5687-4D13-9E32-12B4259C9813}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{10336656-40D7-4530-BCC0-86CD3D77D25F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{15834F0C-3168-48CA-BAE0-65201FFF0B1C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1D83A8B4-A348-425C-A0BB-6AA53CB87BBD}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-721.attackrange.local", "process_guid": "{EAEF4273-2417-60BE-1200-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1F58AE05-0945-3625-8538-9E0CB19B3EC5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CDC9-6026-722F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1F9C7E02-00BB-493E-BA1E-1DCA09472A6F}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-128.attackrange.local", "process_guid": "{3BF36828-4B39-61E8-1100-00000000CF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\141.0.3537.99\\BHO\\ie_to_edge_bho.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-14c6-6902-cc01-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25090.3009-0\\X86\\MpOav.dll\"", "dest": "soc101win11", "process_guid": "{8223a6b9-1588-6902-1902-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{2A36ADCC-AABF-4EC4-996E-821AAFB0CA1B}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-681.attackrange.local", "process_guid": "{E1BD9FC2-D2BA-609A-1300-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OCHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{33154C99-BF49-443D-A73C-303A23ABBE97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{355822FC-86F1-4BE8-B5F0-A33736789641}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\141.0.3537.99\\PdfPreview\\PdfPreviewHandler.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-14c6-6902-cc01-000000002b00}", "user": "SYSTEM", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3F88CBF8-689B-4FDB-8254-22A54FCF97DD}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-96.attackrange.local", "process_guid": "{BEA10069-D0C2-6086-1100-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{42089D2D-912D-4018-9087-2B87803E93FB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileCoAuthLib.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileCoAuthLib.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{48E73304-E1D6-4330-914C-F5F514E3486C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIE.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5504BE45-A83B-4808-900A-3A5C36E7F77A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{550D0110-8DCD-11D1-8524-00A02495E426}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{57DA77F3-27D4-3F92-9153-53374796FDFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CE2F-6026-8B2F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{57DA77F3-27D4-3F92-9153-53374796FDFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CE3B-6026-8E2F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{57DA77F3-27D4-3F92-9153-53374796FDFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CE6A-6026-992F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{57DA77F3-27D4-3F92-9153-53374796FDFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CFFF-6026-CA2F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{57DA77F3-27D4-3F92-9153-53374796FDFE}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-D00B-6026-D52F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{581C6708-9AF3-45F6-810F-6C7447E699B8}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-932.attackrange.local", "process_guid": "{42DC5269-CE99-6086-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5C615ED6-4F9F-48BE-8D84-17409196DE36}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFPROXY.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{611B6CB4-ACE6-4655-8D60-15FAC4AD0952}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{64654B35-A024-4807-89D3-C6FDB5A260C7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{681D6F09-37AD-46F4-A612-725A53A72589}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68CED213-317D-3F27-9036-A33240DA522E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{68EE3552-3226-48A8-8D9C-CAF218FAA874}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-982.attackrange.local", "process_guid": "{761B69BB-818C-607D-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\VVIEWDWG.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{6EBE30C7-FB56-4A46-89E5-A8BF7EA5A292}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-58.attackrange.local", "process_guid": "{C2350C16-605E-60E8-1300-00000000CF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CDE6-6026-752F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-CE08-6026-7C2F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-D01A-6026-D82F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-D03E-6026-DB2F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{701F1B61-77A1-3F20-8968-E41B6B14B2C2}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "mscoree.dll", "dest": "win-dc-444.attackrange.local", "process_guid": "{6A74A0F8-D048-6026-E12F-00000000A301}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{72B66649-3DBF-429F-BD6F-7774A9784B78}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{7808D8CD-FEB3-4EA0-88FE-FC6909634FC2}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-0f01-000000002b00}", "user": "SYSTEM", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{807583E5-5146-11D5-A672-00B0D022E945}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSOXMLMF.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83081C08-382C-4ED4-ACCF-DCBECA021010}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{83C25742-A9F7-49FB-9138-434302C88D07}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\MSOSB.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{8AC780E1-BCDB-4816-A6EA-A88BCC064453}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\AutoHelper.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{91F83570-7900-4F39-B691-4E1444A1DA00}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-721.attackrange.local", "process_guid": "{EAEF4273-2417-60BE-1200-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9800F18F-3D86-4744-A7D0-540989C86D7B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99D651D7-5F7C-470E-8A3B-774D5D9536AC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-0f01-000000002b00}", "user": "SYSTEM", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{9F9F77EA-17B8-416F-936D-9E593DDCC5A6}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-128.attackrange.local", "process_guid": "{3BF36828-DD0D-60DD-1300-00000000C801}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A1BD40BB-7563-461C-9124-B0E901BCD669}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-932.attackrange.local", "process_guid": "{42DC5269-CE99-6086-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.205.9\\psmachine.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1363-6902-0f01-000000002b00}", "user": "SYSTEM", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{A8DB28C7-E36C-4978-8C0B-F0365751AB31}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\WinRAR\\rarext32.dll", "dest": "win-dc-233.attackrange.local", "process_guid": "{D419E45B-F54A-60B8-2F51-00000000C401}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\LoadWithoutCOM", "registry_key_name": "InProcServer32", "registry_value_name": "LoadWithoutCOM", "registry_value_data": "(Empty)", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\InProcServer32\\ThreadingModel", "registry_key_name": "InProcServer32", "registry_value_name": "ThreadingModel", "registry_value_data": "Apartment", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "6"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "2"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{D14EAFD4-0342-4F4C-B5C1-0CB79E2D0B75}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-4E3C-6063-1200-00000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{DF0C5B26-A2D5-49A7-AFC5-9A09CCD20D7C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ABCFE62-842F-603E-1300-00000000AD01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\msoshext.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EBA37D0F-AAF3-43AB-9A19-355453048EDE}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-dc-982.attackrange.local", "process_guid": "{761B69BB-818C-607D-1200-00000000BA01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{EFBD9A69-66AF-4D44-BB36-D477E5014216}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\OSFROAMINGPROXY.DLL", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B499-63D3-D903-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD0-63CF-6501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7F-607E-9C0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7810-60FE-527A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BBC-606F-4369-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\21.030.0211.0002\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9D12-63CF-A301-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files (x86)\\Microsoft OneDrive\\22.077.0410.0007\\FileSyncShell.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B53A-63D3-1F04-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F25728CC-6DE5-46DE-B1F1-3A701E1B200C}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "%%SystemRoot%%\\system32\\shdocvw.dll", "dest": "win-host-987.attackrange.local", "process_guid": "{B81B27B7-1E7A-61BA-1200-00000000CD01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBF8-607E-DD0D-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-5794-60F5-850A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BF6-606F-6D6A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EB7A-607E-7E0B-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F39-613B-9F08-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-780B-60FE-357A-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7857-60FE-D17B-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1BB8-606F-2569-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-host-ctus-attack-range-212", "process_guid": "{72106695-B4A1-63D3-E703-00000000BD02}", "user": "unknown", "count": "1"}, {"registry_path": "HKCR\\WOW6432Node\\CLSID\\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\ONBttnIELinkedNotes.dll", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9CD5-63CF-7501-00000000B202}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-1382834448-4213258134-3478073696-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-56.attackrange.local", "process_guid": "{2E2BE06D-7860-60FE-1F7C-00000000E601}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C108-6156-D900-000000000002}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C10A-6156-DE00-000000000002}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C10C-6156-E100-000000000002}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500_Classes\\Wow6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-1C03-606F-816A-01000000AF01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-325169965-3944942172-2068406585-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-339.attackrange.local", "process_guid": "{A7A01FEF-EBFF-607E-2A0E-00000000BB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C03-6156-BE43-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C05-6156-C043-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C07-6156-C443-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C57-6156-D443-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C59-6156-D643-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C5B-6156-DA43-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C66-6156-DE43-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C68-6156-E043-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C6A-6156-E243-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3BD-6155-CF37-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3BF-6155-D337-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3C1-6155-D937-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50B-6155-0538-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50D-6155-0738-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50F-6155-0938-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D0-6155-2B38-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D2-6155-2D38-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D4-6155-2F38-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B652-6155-4938-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B654-6155-4E38-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B656-6155-5338-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6DF-6154-C816-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6E1-6154-CA16-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6E3-6154-CC16-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B78F-6154-E916-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B792-6154-EB16-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B794-6154-ED16-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B9FC-6154-B919-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B9FE-6154-E519-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA01-6154-061A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA25-6154-0F1A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA27-6154-111A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA29-6154-131A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC45-6154-641A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC47-6154-661A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC49-6154-691A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC7C-6154-761A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC7E-6154-781A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC80-6154-7A1A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFBE-6155-AB39-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFC1-6155-AD39-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFC3-6155-AF39-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0D6-6155-DE39-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0D8-6155-E039-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0DA-6155-E239-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C17B-6154-181B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C17E-6154-1A1B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C180-6154-1C1B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19A-6154-211B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19C-6154-231B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19E-6154-251B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AA-6154-2D1B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AC-6154-2F1B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AE-6154-311B-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C290-6155-1C3A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C292-6155-1E3A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C294-6155-203A-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23A-6155-3E3E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23C-6155-403E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23E-6155-423E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E4FE-6155-C33E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E500-6155-C53E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E502-6155-C73E-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA6C-6156-EE5F-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA6E-6156-F05F-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA70-6156-F85F-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C71-6156-E843-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C73-6156-EA43-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C75-6156-EC43-02000000F001}", "user": "unknown", "count": "3"}, {"registry_path": "HKU\\S-1-5-21-3966725549-2172964581-1758441464-500_Classes\\CLSID\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Temp\\test.dll", "dest": "win-dc-89.attackrange.local", "process_guid": "{8057F119-2FF0-60EC-0A0A-00000000DB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3966725549-2172964581-1758441464-500_Classes\\CLSID\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Temp\\test.dll", "dest": "win-dc-89.attackrange.local", "process_guid": "{8057F119-307A-60EC-2B0A-00000000DB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3966725549-2172964581-1758441464-500_Classes\\CLSID\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Temp\\test.dll", "dest": "win-dc-89.attackrange.local", "process_guid": "{8057F119-3169-60EC-550A-00000000DB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-3966725549-2172964581-1758441464-500_Classes\\CLSID\\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Temp\\test.dll", "dest": "win-dc-89.attackrange.local", "process_guid": "{8057F119-3242-60EC-7C0A-00000000DB01}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileCoAuthLib64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileCoAuthLib64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileCoAuthLib64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\FileSyncShell64.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileCoAuthLib.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileCoAuthLib.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileCoAuthLib.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.159.0817.0003\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1358-6902-f600-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1372-6902-1801-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4051859043-1187413090-3677023548-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\25.189.0928.0002\\i386\\FileSyncShell.dll", "dest": "soc101win11", "process_guid": "{8223a6b9-1381-6902-2501-000000002b00}", "user": "Administrator", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-876.attackrange.local", "process_guid": "{43EB4363-57A1-60F5-C80A-00000000E501}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-492600379-461247840-3315989157-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "dest": "win-dc-970.attackrange.local", "process_guid": "{CBEA6AB7-5D70-6196-5A7D-000000000E02}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuthLib.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{BBACC218-34EA-4666-9D7A-C78F2274A524}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}, {"registry_path": "HKU\\S-1-5-21-589020557-3528615288-1361562277-500_Classes\\WOW6432Node\\CLSID\\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_name": "(Default)", "registry_value_data": "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll", "dest": "win-dc-387.attackrange.local", "process_guid": "{7BD73061-6F42-613B-0209-00000000F001}", "user": "unknown", "count": "1"}], "error": null} +{"file_name": "windows_modify_registry_disable_rdp.yml", "description": "This analytic is developed to detect suspicious registry modifications that disable Remote Desktop Protocol (RDP) by altering the \"fDenyTSConnections\" key. Changing this key's value to 1 prevents remote connections, which can disrupt remote management and access. Such modifications could indicate an attempt to hinder remote administration or isolate the system from remote intervention, potentially signifying malicious activity.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_rdp_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-F302-000000000B03}", "process_id": "364", "registry_hive": "HKEY_LOCAL_MACHINE\\\\System", "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections", "registry_key_name": "Terminal Server", "registry_value_data": "0x00000001", "registry_value_name": "fDenyTSConnections", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}], "error": null} +{"file_name": "windows_defender_asr_rule_disabled.yml", "description": "The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.", "spl_query": "`ms_defender` EventCode IN (5007) | rex field=New_Value \"0x(?\\\\d+)$\" | rex field=Old_Value \"0x(?\\\\d+)$\" | rex field=New_Value \"Rules\\\\\\\\(?[A-Fa-f0-9\\\\-]+)\\\\s*=\" | eval New_Registry_Value=case(New_Registry_Value==\"0\", \"Disabled\", New_Registry_Value==\"1\", \"Block\", New_Registry_Value==\"2\", \"Audit\", New_Registry_Value==\"6\", \"Warn\") | eval Old_Registry_Value=case(Old_Registry_Value==\"0\", \"Disabled\", Old_Registry_Value==\"1\", \"Block\", Old_Registry_Value==\"2\", \"Audit\", Old_Registry_Value==\"6\", \"Warn\") | search New_Registry_Value=\"Disabled\" | stats count min(_time) as firstTime max(_time) as lastTime by host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID | lookup asr_rules ID AS ASR_ID OUTPUT ASR_Rule | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| rename host as dest | `windows_defender_asr_rule_disabled_filter`", "results": [], "error": null} +{"file_name": "windows_modify_registry_delete_firewall_rules.yml", "description": "The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.", "spl_query": "`sysmon` EventCode=12 TargetObject = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" EventType=DeleteValue | stats count min(_time) as firstTime max(_time) as lastTime by action dest process_guid process_id registry_hive registry_path registry_key_name status user vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_delete_firewall_rules_filter`", "results": [], "error": null} +{"file_name": "disable_windows_app_hotkeys.yml", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values indicative of this behavior. This activity is significant as it can impair an analyst's ability to use essential tools like Task Manager and Command Prompt, hindering incident response efforts. If confirmed malicious, this technique can allow an attacker to maintain persistence and evade detection, complicating the remediation process.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "results": [{"action": "modified", "dest": "win-dc-763.attackrange.local", "process_guid": "{B13AE1A5-6C4C-6092-5609-00000000BA01}", "process_id": "6916", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\\Debugger", "registry_key_name": "taskmgr.exe", "registry_value_data": "HotKey Disabled", "registry_value_name": "Debugger", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2021-05-05T09:58:37", "lastTime": "2025-12-10T07:26:28"}], "error": null} +{"file_name": "windows_modify_registry_no_auto_reboot_with_logon_user.yml", "description": "The following analytic detects a suspicious modification to the Windows registry that disables automatic reboot with a logged-on user. This detection leverages the Endpoint data model to identify changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security measures and deploy additional payloads without interruption.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoRebootWithLoggedOnUsers\" AND Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_reboot_with_logon_user_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5D-6442-4203-00000000DD02}", "process_id": "6692", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoRebootWithLoggedOnUsers", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C00-6442-6E03-00000000DD02}", "process_id": "6336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoRebootWithLoggedOnUsers", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:21", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8803-00000000DD02}", "process_id": "4676", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoRebootWithLoggedOnUsers", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoRebootWithLoggedOnUsers", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_disable_win_defender_raw_write_notif.yml", "description": "The following analytic detects modifications to the Windows registry that disable the Windows Defender raw write notification feature. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path associated with Windows Defender's real-time protection settings. This activity is significant because disabling raw write notifications can allow malware, such as Azorult, to bypass Windows Defender's behavior monitoring, potentially leading to undetected malicious activities. If confirmed malicious, this could enable attackers to execute code, persist in the environment, and access sensitive information without detection.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification", "registry_key_name": "Real-Time Protection", "registry_value_data": "0x00000001", "registry_value_name": "DisableRawWriteNotification", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "20", "firstTime": "2022-06-09T12:34:49", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_disallow_windows_app.yml", "description": "The following analytic detects modifications to the Windows registry aimed at preventing the execution of specific computer programs. It leverages data from the Endpoint.Registry datamodel, focusing on changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" with a value of \"0x00000001\". This activity is significant as it can indicate an attempt to disable security tools, a tactic used by malware like Azorult. If confirmed malicious, this could allow an attacker to evade detection and maintain persistence on the compromised host.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "DisallowRun", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_disablesecuritysettings.yml", "description": "The following analytic detects modifications to the Windows registry that disable security settings for Terminal Services. It leverages the Endpoint data model, specifically monitoring changes to the registry path associated with Terminal Services security settings. This activity is significant because altering these settings can weaken the security posture of Remote Desktop Services, potentially allowing unauthorized remote access. If confirmed malicious, such modifications could enable attackers to gain persistent remote access to the system, facilitating further exploitation and data exfiltration.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Terminal Services\\\\DisableSecuritySettings\" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disablesecuritysettings_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-247E-655F-2C04-000000002903}", "process_id": "3772", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T10:07:58", "lastTime": "2023-11-23T10:07:58"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-2566-655F-4604-000000002903}", "process_id": "4752", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T10:11:57", "lastTime": "2023-11-23T10:11:57"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-2575-655F-5204-000000002903}", "process_id": "3076", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T10:12:07", "lastTime": "2023-11-23T10:12:07"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{F3BFD260-20B3-655F-8503-000000002803}", "process_id": "4112", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:51:47", "lastTime": "2023-11-23T09:51:47"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{F3BFD260-20D3-655F-8E03-000000002803}", "process_id": "4740", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:54:00", "lastTime": "2023-11-23T09:54:00"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{F3BFD260-21F9-655F-B203-000000002803}", "process_id": "4728", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\DisableSecuritySettings", "registry_key_name": "Terminal Services", "registry_value_data": "0x00000001", "registry_value_name": "DisableSecuritySettings", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:57:13", "lastTime": "2023-11-23T09:57:13"}], "error": null} +{"file_name": "windows_hide_notification_features_through_registry.yml", "description": "The following analytic detects suspicious registry modifications aimed at hiding common Windows notification features on a compromised host. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant as it is often used by ransomware to obscure visual indicators, increasing the impact of the attack. If confirmed malicious, this could prevent users from noticing critical system alerts, thereby aiding the attacker in maintaining persistence and furthering their malicious activities undetected.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "results": [{"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2DDD-6227-E007-000000003602}", "process_id": "5096", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAHealth", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:20:13", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2EED-6227-3708-000000003602}", "process_id": "100", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAHealth", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:24:45", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F5E-6227-7708-000000003602}", "process_id": "2556", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAHealth", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:26:38", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F93-6227-B008-000000003602}", "process_id": "6124", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideClock", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:31", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F93-6227-B108-000000003602}", "process_id": "7156", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAHealth", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:31", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F93-6227-B208-000000003602}", "process_id": "2164", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCANetwork", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:31", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F93-6227-B308-000000003602}", "process_id": "5136", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAPower", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:31", "lastTime": "2025-12-10T02:08:59"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F93-6227-B408-000000003602}", "process_id": "6180", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "HideSCAVolume", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:31", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "disable_show_hidden_files.yml", "description": "The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\" )) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{08CB57FB-C1BD-64AB-E700-00000000FA02}", "process_id": "3608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3179303874-1983987604-3427696531-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T08:31:49", "lastTime": "2025-12-10T02:10:00"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{08CB57FB-C1BD-64AB-E700-00000000FA02}", "process_id": "3608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3179303874-1983987604-3427696531-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T08:31:49", "lastTime": "2025-12-10T02:10:00"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{03D06954-0D17-65BC-8D01-000000004703}", "process_id": "1300", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3344543075-1022232225-2459664213-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2024-02-01T21:28:55", "lastTime": "2025-12-10T07:32:30"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{03D06954-132D-65BC-2B02-000000004703}", "process_id": "1316", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3344543075-1022232225-2459664213-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2024-02-01T21:54:53", "lastTime": "2025-12-10T07:32:30"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-8948-64BF-C600-00000000F902}", "process_id": "4448", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:29:54", "lastTime": "2023-07-25T14:29:54"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{13E3B8D2-8948-64BF-C600-00000000F902}", "process_id": "4448", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3884345684-401274181-143496042-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-25T14:29:54", "lastTime": "2023-07-25T14:29:54"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-371C-6112-5301-00000000E501}", "process_id": "760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2413384075-1693603943-3559489279-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-371C-6112-5301-00000000E501}", "process_id": "760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2413384075-1693603943-3559489279-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-371C-6112-5301-00000000E501}", "process_id": "760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2413384075-1693603943-3559489279-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-15.attackrange.local", "process_guid": "{82A15F94-371C-6112-5301-00000000E501}", "process_id": "760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2413384075-1693603943-3559489279-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:42:14", "lastTime": "2025-12-09T22:42:14"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-2C35-6137-B002-00000000F001}", "process_id": "4436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-701328404-3962279559-3904273332-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-2C35-6137-B002-00000000F001}", "process_id": "4436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-701328404-3962279559-3904273332-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-2C35-6137-B002-00000000F001}", "process_id": "4436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-701328404-3962279559-3904273332-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-228.attackrange.local", "process_guid": "{5ADF971D-2C35-6137-B002-00000000F001}", "process_id": "4436", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-701328404-3962279559-3904273332-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:43:46", "lastTime": "2025-12-10T04:43:46"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-2D9A-605B-800A-00000000AE01}", "process_id": "4608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1395536936-211942639-3556811650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-2D9A-605B-800A-00000000AE01}", "process_id": "4608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1395536936-211942639-3556811650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-2D9A-605B-800A-00000000AE01}", "process_id": "4608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1395536936-211942639-3556811650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-299.attackrange.local", "process_guid": "{3CFDEE80-2D9A-605B-800A-00000000AE01}", "process_id": "4608", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-1395536936-211942639-3556811650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:48:24", "lastTime": "2025-12-09T22:48:24"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E731-60C1-5301-00000000C401}", "process_id": "5036", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-986166657-4127868789-2511509191-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E731-60C1-5301-00000000C401}", "process_id": "5036", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-986166657-4127868789-2511509191-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E731-60C1-5301-00000000C401}", "process_id": "5036", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-986166657-4127868789-2511509191-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-365.attackrange.local", "process_guid": "{928AB1BB-E731-60C1-5301-00000000C401}", "process_id": "5036", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-986166657-4127868789-2511509191-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:45:16", "lastTime": "2025-12-09T22:45:16"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-79C0-6151-E577-00000000FC01}", "process_id": "4296", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-79C0-6151-E577-00000000FC01}", "process_id": "4296", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-79C0-6151-E577-00000000FC01}", "process_id": "4296", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-79C0-6151-E577-00000000FC01}", "process_id": "4296", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:51:49", "lastTime": "2025-12-10T04:51:49"}, {"action": "modified", "dest": "win-dc-639.attackrange.local", "process_guid": "{D0132419-0A66-614B-5001-00000000FC01}", "process_id": "4192", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4212517941-3008131832-663396887-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:52:56", "lastTime": "2025-12-09T22:52:56"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-B1A1-6050-2701-00000000AE01}", "process_id": "4620", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-750532476-3956299320-1675380311-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-B1A1-6050-2701-00000000AE01}", "process_id": "4620", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-750532476-3956299320-1675380311-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-B1A1-6050-2701-00000000AE01}", "process_id": "4620", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-750532476-3956299320-1675380311-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-654.attackrange.local", "process_guid": "{26337912-B1A1-6050-2701-00000000AE01}", "process_id": "4620", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-750532476-3956299320-1675380311-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:46:47", "lastTime": "2025-12-09T22:46:47"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F9C-604B-AA00-00000000AD01}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-895169564-1244314668-1918322960-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F9C-604B-AA00-00000000AD01}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-895169564-1244314668-1918322960-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F9C-604B-AA00-00000000AD01}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-895169564-1244314668-1918322960-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-73.attackrange.local", "process_guid": "{6423918C-7F9C-604B-AA00-00000000AD01}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-895169564-1244314668-1918322960-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:47:19", "lastTime": "2025-12-09T22:47:19"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DCAA-6113-ED00-00000000E501}", "process_id": "5048", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4098349297-3042404783-2477287307-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DCAA-6113-ED00-00000000E501}", "process_id": "5048", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4098349297-3042404783-2477287307-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DCAA-6113-ED00-00000000E501}", "process_id": "5048", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4098349297-3042404783-2477287307-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-837.attackrange.local", "process_guid": "{856D1934-DCAA-6113-ED00-00000000E501}", "process_id": "5048", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4098349297-3042404783-2477287307-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:16:39", "lastTime": "2025-12-10T04:16:39"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-72BA-606C-AE15-01000000AF01}", "process_id": "5108", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-72BA-606C-AE15-01000000AF01}", "process_id": "5108", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-72BA-606C-AE15-01000000AF01}", "process_id": "5108", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-877.attackrange.local", "process_guid": "{7F8C56E7-72BA-606C-AE15-01000000AF01}", "process_id": "5108", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3199041234-613076988-4072312029-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "4", "firstTime": "2025-12-10T02:42:13", "lastTime": "2025-12-10T02:42:13"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-64C5-6064-A500-00000000AE01}", "process_id": "4356", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-64C5-6064-A500-00000000AE01}", "process_id": "4356", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-64C5-6064-A500-00000000AE01}", "process_id": "4356", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-64C5-6064-A500-00000000AE01}", "process_id": "4356", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3601-00000000AE01}", "process_id": "5804", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3701-00000000AE01}", "process_id": "4052", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3901-00000000AE01}", "process_id": "3144", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3A01-00000000AE01}", "process_id": "3476", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3B01-00000000AE01}", "process_id": "5148", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-48ED-609D-3C01-00000000BA01}", "process_id": "4728", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3487033156-4149574945-3951608832-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-48ED-609D-3C01-00000000BA01}", "process_id": "4728", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3487033156-4149574945-3951608832-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-48ED-609D-3C01-00000000BA01}", "process_id": "4728", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3487033156-4149574945-3951608832-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-960.attackrange.local", "process_guid": "{C7A9AC19-48ED-609D-3C01-00000000BA01}", "process_id": "4728", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3487033156-4149574945-3951608832-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T03:24:54", "lastTime": "2025-12-10T03:24:54"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-188.attackrange.local", "process_guid": "{30B46F62-48CF-6352-9A00-000000008B02}", "process_id": "4804", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2377329074-3944928713-608161882-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-10-21T11:02:22", "lastTime": "2025-12-09T22:31:31"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-188.attackrange.local", "process_guid": "{30B46F62-48CF-6352-9A00-000000008B02}", "process_id": "4804", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2377329074-3944928713-608161882-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-10-21T11:02:22", "lastTime": "2025-12-09T22:31:31"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "process_guid": "{FCCA13C7-3387-63C5-9D01-00000000AF02}", "process_id": "1284", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-01-16T11:42:12", "lastTime": "2023-01-16T11:42:12"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "process_guid": "{FCCA13C7-3387-63C5-9D01-00000000AF02}", "process_id": "1284", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-489063788-1047142772-617343651-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-01-16T11:42:12", "lastTime": "2023-01-16T11:42:12"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E75-635A-9600-000000008A02}", "process_id": "4408", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3654133429-2950718773-2133640725-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E75-635A-9600-000000008A02}", "process_id": "4408", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3654133429-2950718773-2133640725-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-7E75-635A-9600-000000008A02}", "process_id": "4408", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3654133429-2950718773-2133640725-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-12-09T22:30:30", "lastTime": "2025-12-09T22:30:30"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "process_guid": "{A78D3DEB-1AE9-634D-9A00-000000008502}", "process_id": "4876", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2101601273-3326142395-4157521269-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-801.attackrange.local", "process_guid": "{A78D3DEB-1AE9-634D-9A00-000000008502}", "process_id": "4876", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2101601273-3326142395-4157521269-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-09T22:28:58", "lastTime": "2025-12-09T22:28:58"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E907-62A1-FA02-000000006102}", "process_id": "6408", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "40", "firstTime": "2022-06-09T12:35:19", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3383-6238-1C01-000000004102}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2182867758-2228517806-1658428495-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:13:49", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3383-6238-1C01-000000004102}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2182867758-2228517806-1658428495-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:13:44", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3383-6238-1C01-000000004102}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2182867758-2228517806-1658428495-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:13:44", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-362.attackrange.local", "process_guid": "{DA02E8FA-3383-6238-1C01-000000004102}", "process_id": "3324", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2182867758-2228517806-1658428495-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-21T08:13:44", "lastTime": "2025-12-09T22:51:26"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9BFB-63CF-0901-00000000B202}", "process_id": "528", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2245655832-1998535435-1064043650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-ctus-attack-range-249", "process_guid": "{2EF863A9-9BFB-63CF-0901-00000000B202}", "process_id": "528", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2245655832-1998535435-1064043650-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:04:54", "lastTime": "2025-12-10T05:04:54"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-513E-623C-6505-000000004302}", "process_id": "3588", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:09:42", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-513E-623C-6505-000000004302}", "process_id": "3588", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000002", "registry_value_name": "Hidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:09:39", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-513E-623C-6505-000000004302}", "process_id": "3588", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "registry_key_name": "Advanced", "registry_value_data": "0x00000001", "registry_value_name": "HideFileExt", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:09:39", "lastTime": "2025-12-09T22:44:16"}, {"action": "modified", "dest": "win-host-tcontreras-attack-range-971", "process_guid": "{9531C931-513E-623C-6505-000000004302}", "process_id": "3588", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2214540325-3392803530-572759246-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "registry_key_name": "Advanced", "registry_value_data": "0x00000000", "registry_value_name": "ShowSuperHidden", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-03-24T11:09:39", "lastTime": "2025-12-09T22:44:16"}], "error": null} +{"file_name": "windows_modify_registry_proxyenable.yml", "description": "The following analytic detects modifications to the Windows registry key \"ProxyEnable\" to enable proxy settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"Internet Settings\\ProxyEnable\" registry path. This activity is significant as it is commonly exploited by malware and adversaries to establish proxy communication, potentially connecting to malicious Command and Control (C2) servers. If confirmed malicious, this could allow attackers to redirect network traffic through a proxy, facilitating unauthorized communication and data exfiltration, thereby compromising the security of the affected host.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = \"*\\\\Internet Settings\\\\ProxyEnable\" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_proxyenable_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1075-655F-EC01-000000002903}", "process_id": "4148", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "registry_key_name": "Internet Settings", "registry_value_data": "0x00000001", "registry_value_name": "ProxyEnable", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T08:42:29", "lastTime": "2023-11-23T08:42:29"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1480-655F-5602-000000002903}", "process_id": "2280", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "registry_key_name": "Internet Settings", "registry_value_data": "0x00000001", "registry_value_name": "ProxyEnable", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "12", "firstTime": "2023-11-23T08:59:46", "lastTime": "2023-11-23T09:00:04"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6B02-000000002903}", "process_id": "3200", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "registry_key_name": "Internet Settings", "registry_value_data": "0x00000001", "registry_value_name": "ProxyEnable", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6C02-000000002903}", "process_id": "4884", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "registry_key_name": "Internet Settings", "registry_value_data": "0x00000001", "registry_value_name": "ProxyEnable", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{0BACA6B2-1494-655F-6F02-000000002903}", "process_id": "3476", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-217062234-2484139415-3727922708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable", "registry_key_name": "Internet Settings", "registry_value_data": "0x00000001", "registry_value_name": "ProxyEnable", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-11-23T09:00:05", "lastTime": "2023-11-23T09:00:05"}], "error": null} +{"file_name": "windows_modify_registry_auto_update_notif.yml", "description": "The following analytic detects a suspicious modification to the Windows registry that changes the auto-update notification setting to \"Notify before download.\" This detection leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values. This activity is significant because it is a known technique used by adversaries, including malware like RedLine Stealer, to evade detection and potentially deploy additional payloads. If confirmed malicious, this modification could allow attackers to bypass security measures, maintain persistence, and exploit vulnerabilities on the target host.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AUOptions\" AND Registry.registry_value_data=\"0x00000002\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_update_notif_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B57-6442-3F03-00000000DD02}", "process_id": "6956", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions", "registry_key_name": "AU", "registry_value_data": "0x00000002", "registry_value_name": "AUOptions", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:35", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7BFB-6442-6B03-00000000DD02}", "process_id": "1648", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions", "registry_key_name": "AU", "registry_value_data": "0x00000002", "registry_value_name": "AUOptions", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:16", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8503-00000000DD02}", "process_id": "6308", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AUOptions", "registry_key_name": "AU", "registry_value_data": "0x00000002", "registry_value_name": "AUOptions", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_disable_windefender_notifications.yml", "description": "The following analytic detects a suspicious registry modification aimed at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" with a value of \"0x00000001\". This activity is significant as it indicates an attempt to evade detection by disabling security alerts, a technique used by adversaries and malware like RedLine Stealer. If confirmed malicious, this could allow attackers to operate undetected, increasing the risk of further compromise and data exfiltration.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\Notifications\\\\DisableNotifications\" AND Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_disable_windefender_notifications_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B57-6442-3E03-00000000DD02}", "process_id": "4884", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications", "registry_key_name": "Notifications", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotifications", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:31", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7BF9-6442-6A03-00000000DD02}", "process_id": "5980", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications", "registry_key_name": "Notifications", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotifications", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:15", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8403-00000000DD02}", "process_id": "6892", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\Notifications\\DisableNotifications", "registry_key_name": "Notifications", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotifications", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_updateserviceurlalternate.yml", "description": "The following analytic detects a suspicious modification to the Windows Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate setting. It leverages data from the Endpoint.Registry datamodel to identify changes to this registry path. This activity is significant because adversaries, including malware like RedLine Stealer, exploit this technique to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to redirect update services, potentially leading to the execution of malicious code, further system compromise, and persistent evasion of security defenses.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\UpdateServiceUrlAlternate\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_updateserviceurlalternate_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5D-6442-4703-00000000DD02}", "process_id": "1844", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "UpdateServiceUrlAlternate", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C08-6442-7303-00000000DD02}", "process_id": "7044", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "UpdateServiceUrlAlternate", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:29", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8D03-00000000DD02}", "process_id": "6904", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\UpdateServiceUrlAlternate", "registry_key_name": "WindowsUpdate", "registry_value_data": "server.wsus", "registry_value_name": "UpdateServiceUrlAlternate", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_auto_minor_updates.yml", "description": "The following analytic identifies a suspicious modification to the Windows auto update configuration registry. It detects changes to the registry path \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" with a value of \"0x00000000\". This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to bypass detection and deploy additional payloads. If confirmed malicious, this modification could allow attackers to evade defenses, potentially leading to further system compromise and exploitation of zero-day vulnerabilities.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\AutoInstallMinorUpdates\" AND Registry.registry_value_data=\"0x00000000\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_auto_minor_updates_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5B-6442-4003-00000000DD02}", "process_id": "4552", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates", "registry_key_name": "AU", "registry_value_data": "0x00000000", "registry_value_name": "AutoInstallMinorUpdates", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:35", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7BFC-6442-6C03-00000000DD02}", "process_id": "6596", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates", "registry_key_name": "AU", "registry_value_data": "0x00000000", "registry_value_name": "AutoInstallMinorUpdates", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:18", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8603-00000000DD02}", "process_id": "5236", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\AutoInstallMinorUpdates", "registry_key_name": "AU", "registry_value_data": "0x00000000", "registry_value_name": "AutoInstallMinorUpdates", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_disable_notification_center.yml", "description": "The following analytic detects the modification of the Windows registry to disable the Notification Center on a host machine. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the \"DisableNotificationCenter\" registry value set to \"0x00000001.\" This activity is significant because disabling the Notification Center can be a tactic used by RAT malware to hide its presence and subsequent actions. If confirmed malicious, this could allow an attacker to operate stealthily, potentially leading to further system compromise and data exfiltration.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "results": [{"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6556-6064-3101-00000000AE01}", "process_id": "172", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotificationCenter", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_id": "4580", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotificationCenter", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-72.attackrange.local", "process_guid": "{15964E91-152C-620E-F007-000000003602}", "process_id": "6104", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-656111903-2775508965-369574649-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "DisableNotificationCenter", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2022-02-17T09:28:12", "lastTime": "2025-12-10T02:12:30"}], "error": null} +{"file_name": "disabling_norun_windows_app.yml", "description": "The following analytic detects the modification of the Windows registry to disable the Run application in the Start menu. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" with a value of \"0x00000001\". This activity is significant because the Run application is a useful shortcut for executing known applications and scripts. If confirmed malicious, this action could hinder system cleaning efforts and make it more difficult to run essential tools, thereby aiding malware persistence.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "results": [{"action": "modified", "dest": "win-dc-892.attackrange.local", "process_guid": "{266CAFBE-6557-6064-3D01-00000000AE01}", "process_id": "6352", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-4055678433-3894535204-3898404691-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoRun", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T07:33:00", "lastTime": "2025-12-10T07:33:00"}, {"action": "modified", "dest": "win-dc-tcontreras-attack-range-462.attackrange.local", "process_guid": "{C64CDE3E-2F85-6227-9A08-000000003602}", "process_id": "6272", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3798679359-297722169-3327854505-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "registry_key_name": "Explorer", "registry_value_data": "0x00000001", "registry_value_name": "NoRun", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "15", "firstTime": "2022-03-08T10:27:17", "lastTime": "2025-12-10T02:08:59"}], "error": null} +{"file_name": "windows_outlook_dialogs_disabled_from_unusual_process.yml", "description": "The following analytic detects the modification of the Windows Registry key \"PONT_STRING\" under Outlook Options. This disables certain dialog popups, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key changing from an unusual process. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path=\"*\\\\Outlook\\\\Options\\\\General*\" Registry.registry_value_name=\"PONT_STRING\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`| join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT (Processes.process_name = \"Outlook.exe\") by _time span=1h Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`] | fields _time parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name action dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_outlook_dialogs_disabled_from_unusual_process_filter`", "results": [{"parent_process_name": "cmd.exe", "parent_process": "\"C:\\Windows\\system32\\cmd.exe\"", "process_name": "Onedrive.exe", "process_path": "C:\\ProgramData\\Onedrive.exe", "process": "Onedrive.exe", "process_guid": "F51F9151-CCF0-66AB-510B-000000000C00", "registry_path": "HKU\\S-1-5-21-1538153195-943065003-848949206-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Options\\General\\PONT_STRING", "registry_value_name": "PONT_STRING", "registry_value_data": "32,", "registry_key_name": "General", "action": "allowed", "dest": "WIN10-21H1.snapattack.labs", "user": "localuser"}], "error": null} +{"file_name": "windows_snappybee_create_test_registry.yml", "description": "The following analytic detects modifications to the Windows registry under `SOFTWARE\\Microsoft\\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Test\\\\*\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snappybee_create_test_registry_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{A9E392D4-1CF5-67AB-7902-00000000CD03}", "process_id": "2336", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Test\\DPFINEHSXR\\HGVMIWMISX", "registry_key_name": "DPFINEHSXR", "registry_value_data": "C:\\ProgramData\\Microsot\\MicrosotShared.exe", "registry_value_name": "HGVMIWMISX", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-02-11T09:48:37", "lastTime": "2025-02-11T09:48:37"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{A9E392D4-1D14-67AB-8702-00000000CD03}", "process_id": "6668", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Test\\BSZOIHCXN\\JYWAIWXD", "registry_key_name": "BSZOIHCXN", "registry_value_data": "Binary Data", "registry_value_name": "JYWAIWXD", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2025-02-11T09:49:08", "lastTime": "2025-02-11T09:49:08"}], "error": null} +{"file_name": "windows_inprocserver32_new_outlook_form.yml", "description": "The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\InProcServer32\\\\*\" Registry.registry_value_data=*\\\\FORMS\\\\* by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_inprocserver32_new_outlook_form_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{6B7A8EA0-07C7-65FB-004B-030000000F03}", "process_id": "4172", "registry_hive": "null", "registry_path": "HKCR\\CLSID\\{00000000-1234-1234-1234-000000000000}\\InprocServer32\\(Default)", "registry_key_name": "InprocServer32", "registry_value_data": "C:\\Users\\bob\\MICROS~1\\FORMS\\PINVOKE~1.HEL\\hello.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "5"}], "error": null} +{"file_name": "windows_outlook_webview_registry_modification.yml", "description": "The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the \"URL\" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.", "spl_query": "| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path=\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\WebView\\\\*\" OR Registry.registry_path=\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Today\") AND Registry.registry_value_name=\"URL\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_outlook_webview_registry_modification_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Calendar\\URL", "registry_key_name": "Calendar", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Contacts\\URL", "registry_key_name": "Contacts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Deleted Items\\URL", "registry_key_name": "Deleted Items", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Drafts\\URL", "registry_key_name": "Drafts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Inbox\\URL", "registry_key_name": "Inbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Journal\\URL", "registry_key_name": "Journal", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Junk E-mail\\URL", "registry_key_name": "Junk E-mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Notes\\URL", "registry_key_name": "Notes", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Outbox\\URL", "registry_key_name": "Outbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\RSS\\URL", "registry_key_name": "RSS", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Sent Mail\\URL", "registry_key_name": "Sent Mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\14.0\\Outlook\\WebView\\Tasks\\URL", "registry_key_name": "Tasks", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2024-07-30T15:29:40", "lastTime": "2025-12-10T02:14:01"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Calendar\\URL", "registry_key_name": "Calendar", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Contacts\\URL", "registry_key_name": "Contacts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Deleted Items\\URL", "registry_key_name": "Deleted Items", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Drafts\\URL", "registry_key_name": "Drafts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Inbox\\URL", "registry_key_name": "Inbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Journal\\URL", "registry_key_name": "Journal", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Junk E-mail\\URL", "registry_key_name": "Junk E-mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Notes\\URL", "registry_key_name": "Notes", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Outbox\\URL", "registry_key_name": "Outbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\RSS\\URL", "registry_key_name": "RSS", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Sent Mail\\URL", "registry_key_name": "Sent Mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\15.0\\Outlook\\WebView\\Tasks\\URL", "registry_key_name": "Tasks", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Calendar\\URL", "registry_key_name": "Calendar", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Contacts\\URL", "registry_key_name": "Contacts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Deleted Items\\URL", "registry_key_name": "Deleted Items", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Drafts\\URL", "registry_key_name": "Drafts", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Inbox\\URL", "registry_key_name": "Inbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Journal\\URL", "registry_key_name": "Journal", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Junk E-mail\\URL", "registry_key_name": "Junk E-mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Notes\\URL", "registry_key_name": "Notes", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Outbox\\URL", "registry_key_name": "Outbox", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\RSS\\URL", "registry_key_name": "RSS", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Sent Mail\\URL", "registry_key_name": "Sent Mail", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{16e6810e-c3eb-66a7-d370-060000009302}", "process_id": "6560", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-560616516-1175754387-3922768235-500\\Software\\Microsoft\\Office\\16.0\\Outlook\\WebView\\Tasks\\URL", "registry_key_name": "Tasks", "registry_value_data": "https://example.com/malicious", "registry_value_name": "URL", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-07-30T15:29:40", "lastTime": "2024-07-30T15:29:40"}], "error": null} +{"file_name": "windows_modify_registry_suppress_win_defender_notif.yml", "description": "The following analytic detects modifications in the Windows registry to suppress Windows Defender notifications. It leverages data from the Endpoint.Registry datamodel, specifically targeting changes to the \"Notification_Suppress\" registry value. This activity is significant because adversaries, including those deploying Azorult malware, use this technique to bypass Windows Defender and disable critical notifications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, and execute further malicious activities without alerting the user or security tools.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_suppress_win_defender_notif_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress", "registry_key_name": "UX Configuration", "registry_value_data": "0x00000001", "registry_value_name": "Notification_Suppress", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_id": "4580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress", "registry_key_name": "UX Configuration", "registry_value_data": "0x00000001", "registry_value_name": "Notification_Suppress", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_qakbot_binary_data_registry.yml", "description": "The following analytic detects the creation of a suspicious registry entry by Qakbot malware, characterized by 8 random registry value names with encrypted binary data. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications under the \"SOFTWARE\\\\Microsoft\\\\\" path by processes like explorer.exe. This activity is significant as it indicates potential Qakbot infection, which uses the registry to store malicious code or configuration data. If confirmed malicious, this could allow attackers to maintain persistence and execute arbitrary code on the compromised system.", "spl_query": "| tstats `security_content_summariesonly` count dc(registry_value_name) as registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\*\" AND Registry.registry_value_data = \"Binary Data\" by _time span=1m Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | eval registry_key_name_len = len(registry_key_name) | eval registry_value_name_len = len(registry_value_name) | regex registry_value_name=\"^[0-9a-fA-F]{8}\" | where registry_key_name_len < 80 AND registry_value_name_len == 8 | join process_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name IN (\"explorer.exe\", \"wermgr.exe\",\"dxdiag.exe\", \"OneDriveSetup.exe\", \"mobsync.exe\", \"msra.exe\", \"xwizard.exe\") by _time span=1m Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` ] | stats min(_time) as firstTime max(_time) as lastTime values(registry_value_name) as registry_value_name dc(registry_value_name) as registry_value_name_count values(registry_key_name) by dest process_guid process_name parent_process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where registry_value_name_count >= 5 | `windows_modify_registry_qakbot_binary_data_registry_filter`", "results": [{"dest": "win-dc-ctus-attack-range-188.attackrange.local", "process_guid": "{30B46F62-7D2B-6352-0608-000000008B02}", "process_name": "explorer.exe", "parent_process_name": "aurora-agent.exe", "firstTime": "2022-10-21T11:07:00", "lastTime": "2022-10-21T11:07:00", "registry_value_name": ["1da9cca8", "28361ce6", "2a773c9a", "577f7310", "62e0a35e", "908a7b83", "92cb5bff", "efc31475"], "registry_value_name_count": "8", "values(registry_key_name)": "Eshorkcy"}, {"dest": "win-dc-ctus-attack-range-188.attackrange.local", "process_guid": "{30B46F62-7D2B-6352-0608-000000008B02}", "process_name": "explorer.exe", "parent_process_name": "regsvr32.exe", "firstTime": "2025-12-09T22:31:00", "lastTime": "2025-12-09T22:31:00", "registry_value_name": ["1da9cca8", "28361ce6", "2a773c9a", "577f7310", "62e0a35e", "908a7b83", "92cb5bff", "efc31475"], "registry_value_name_count": "8", "values(registry_key_name)": "Eshorkcy"}, {"dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-807D-635A-1601-000000008A02}", "process_name": "wermgr.exe", "parent_process_name": "aurora-agent.exe", "firstTime": "2025-12-09T22:29:00", "lastTime": "2025-12-09T22:29:00", "registry_value_name": ["1da9cca8", "af2ecc78", "bd9b6396", "c0932c1c", "d81de447", "dede84c3"], "registry_value_name_count": "6", "values(registry_key_name)": "Eshorkcy"}, {"dest": "win-dc-ctus-attack-range-487.attackrange.local", "process_guid": "{3381F800-807D-635A-1601-000000008A02}", "process_name": "wermgr.exe", "parent_process_name": "regsvr32.exe", "firstTime": "2025-12-09T22:30:00", "lastTime": "2025-12-09T22:30:00", "registry_value_name": ["1da9cca8", "28361ce6", "2a773c9a", "577f7310", "62e0a35e", "908a7b83", "92cb5bff", "efc31475"], "registry_value_name_count": "8", "values(registry_key_name)": "Eshorkcy"}, {"dest": "win-dc-ctus-attack-range-801.attackrange.local", "process_guid": "{A78D3DEB-1BD6-634D-F500-000000008502}", "process_name": "explorer.exe", "parent_process_name": "regsvr32.exe", "firstTime": "2025-12-09T22:28:00", "lastTime": "2025-12-09T22:28:00", "registry_value_name": ["75c709fe", "77862982", "85ecf15f", "b0732111", "cd7b6e9b", "cf3a4ee7", "faa59ea9"], "registry_value_name_count": "7", "values(registry_key_name)": "Eybfvhazm"}], "error": null} +{"file_name": "windows_modify_registry_enablelinkedconnections.yml", "description": "The following analytic detects a suspicious modification to the Windows registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry datamodel to identify changes where the registry path is \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" and the value is set to \"0x00000001\". This activity is significant because enabling linked connections can allow network shares to be accessed with both standard and administrator-level privileges, a technique often abused by malware like BlackByte ransomware. If confirmed malicious, this could lead to unauthorized access to sensitive network resources, escalating the attacker's privileges.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections\" Registry.registry_value_data = \"0x00000001\") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_enablelinkedconnections_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{08CB57FB-C2FF-64AB-2001-00000000FA02}", "process_id": "4928", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "registry_key_name": "System", "registry_value_data": "0x00000001", "registry_value_name": "EnableLinkedConnections", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "3", "firstTime": "2023-07-10T08:36:15", "lastTime": "2025-12-10T02:10:00"}], "error": null} +{"file_name": "windows_modify_registry_configure_bitlocker.yml", "description": "This analytic is developed to detect suspicious registry modifications targeting BitLocker settings. The malware ShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing TPM requirements, enabling BitLocker without TPM, and enforcing specific startup key and PIN configurations. Such modifications can weaken system security, making it easier for unauthorized access and data breaches. Detecting these changes is crucial for maintaining robust encryption and data protection.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\FVE\\\\*\" Registry.registry_value_name IN(\"EnableBDEWithNoTPM\", \"EnableNonTPM\", \"UseAdvancedStartup\") Registry.registry_value_data = 0x00000001) OR (Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\FVE\\\\*\" Registry.registry_value_name IN(\"UsePIN\", \"UsePartialEncryptionKey\", \"UseTPM\", \"UseTPMKey\", \"UseTPMKeyPIN\", \"UseTPMPIN\") Registry.registry_value_data = 0x00000002) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_configure_bitlocker_filter`", "results": [{"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-0103-000000000B03}", "process_id": "4620", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMKeyPIN", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UseTPMKeyPIN", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-0303-000000000B03}", "process_id": "4868", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\EnableNonTPM", "registry_key_name": "FVE", "registry_value_data": "0x00000001", "registry_value_name": "EnableNonTPM", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-0503-000000000B03}", "process_id": "4000", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UsePartialEncryptionKey", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UsePartialEncryptionKey", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:12", "lastTime": "2024-06-17T16:00:12"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-F702-000000000B03}", "process_id": "1980", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseAdvancedStartup", "registry_key_name": "FVE", "registry_value_data": "0x00000001", "registry_value_name": "UseAdvancedStartup", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-F902-000000000B03}", "process_id": "700", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\EnableBDEWithNoTPM", "registry_key_name": "FVE", "registry_value_data": "0x00000001", "registry_value_name": "EnableBDEWithNoTPM", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-FB02-000000000B03}", "process_id": "2760", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPM", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UseTPM", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-FD02-000000000B03}", "process_id": "188", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMPIN", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UseTPMPIN", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8B-6670-FF02-000000000B03}", "process_id": "2852", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UseTPMKey", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UseTPMKey", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:11", "lastTime": "2024-06-17T16:00:11"}, {"action": "modified", "dest": "ar-win-2.attackrange.local", "process_guid": "{8C7CB5F3-5D8C-6670-0703-000000000B03}", "process_id": "3216", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE\\UsePIN", "registry_key_name": "FVE", "registry_value_data": "0x00000002", "registry_value_name": "UsePIN", "registry_value_type": "REG_DWORD", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2024-06-17T16:00:12", "lastTime": "2024-06-17T16:00:12"}], "error": null} +{"file_name": "windows_modify_registry_disable_windows_security_center_notif.yml", "description": "The following analytic detects modifications to the Windows registry aimed at disabling Windows Security Center notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" with a value of \"0x00000000\". This activity is significant as it can indicate an attempt by adversaries or malware, such as Azorult, to evade defenses by suppressing critical update notifications. If confirmed malicious, this could allow attackers to persist undetected, potentially leading to further exploitation and compromise of the host system.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registry.registry_value_data=\"0x00000000\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience", "registry_key_name": "ImmersiveShell", "registry_value_data": "0x00000000", "registry_value_name": "UseActionCenterExperience", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience", "registry_key_name": "ImmersiveShell", "registry_value_data": "0x00000000", "registry_value_name": "UseActionCenterExperience", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_id": "4580", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience", "registry_key_name": "ImmersiveShell", "registry_value_data": "0x00000000", "registry_value_name": "UseActionCenterExperience", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_disable_toast_notifications.yml", "description": "The following analytic detects modifications to the Windows registry that disable toast notifications. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the registry path \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" with a value set to \"0x00000000\". This activity is significant because disabling toast notifications can prevent users from receiving critical system and application updates, which adversaries like Azorult exploit for defense evasion. If confirmed malicious, this action could allow attackers to operate undetected, leading to prolonged persistence and potential further compromise of the system.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled*\" Registry.registry_value_data=\"0x00000000\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled", "registry_key_name": "PushNotifications", "registry_value_data": "0x00000000", "registry_value_name": "ToastEnabled", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_id": "4580", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled", "registry_key_name": "PushNotifications", "registry_value_data": "0x00000000", "registry_value_name": "ToastEnabled", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_no_auto_update.yml", "description": "The following analytic identifies a suspicious modification to the Windows registry that disables automatic updates. It detects changes to the registry path `SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate` with a value of `0x00000001`. This activity is significant as it is commonly used by adversaries, including malware like RedLine Stealer, to evade detection and maintain persistence. If confirmed malicious, this could allow attackers to bypass security updates, leaving the system vulnerable to further exploitation and potential zero-day attacks.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU\\\\NoAutoUpdate\" AND Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_modify_registry_no_auto_update_filter`", "results": [{"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7B5B-6442-4103-00000000DD02}", "process_id": "6152", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoUpdate", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:02:37", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7BFE-6442-6D03-00000000DD02}", "process_id": "4080", "registry_hive": "HKEY_LOCAL_MACHINE\\\\Software", "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoUpdate", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:05:20", "lastTime": "2025-12-09T22:54:57"}, {"action": "modified", "dest": "win-host-ctus-attack-range-328", "process_guid": "{223CB5FF-7C2E-6442-8703-00000000DD02}", "process_id": "3772", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2249407279-2659954650-342429190-500\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate", "registry_key_name": "AU", "registry_value_data": "0x00000001", "registry_value_name": "NoAutoUpdate", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "24", "firstTime": "2023-04-21T12:06:06", "lastTime": "2025-12-09T22:54:57"}], "error": null} +{"file_name": "windows_modify_registry_disabling_wer_settings.yml", "description": "The following analytic detects modifications in the Windows registry to disable Windows Error Reporting (WER) settings. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to registry paths related to WER with a value set to \"0x00000001\". This activity is significant as adversaries may disable WER to suppress error notifications, hiding the presence of malicious activities. If confirmed malicious, this could allow attackers to operate undetected, potentially leading to prolonged persistence and further exploitation within the environment.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.registry_value_data=\"0x00000001\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter`", "results": [{"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8E8-62A1-9901-000000006102}", "process_id": "5372", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable", "registry_key_name": "Windows Error Reporting", "registry_value_data": "0x00000001", "registry_value_name": "disable", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:50", "lastTime": "2026-01-23T22:13:24"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-921.attackrange.local", "process_guid": "{B58D6529-E8EC-62A1-9F01-000000006102}", "process_id": "4580", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2167596188-154398838-2475435708-500\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable", "registry_key_name": "Windows Error Reporting", "registry_value_data": "0x00000001", "registry_value_name": "disable", "registry_value_type": "REG_DWORD", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "10", "firstTime": "2022-06-09T12:34:52", "lastTime": "2026-01-23T22:13:24"}], "error": null} +{"file_name": "windows_modify_registry_nochangingwallpaper.yml", "description": "The following analytic detects modifications to the Windows registry aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the \"NoChangingWallPaper\" registry value. This activity is significant as it is a known tactic used by Rhysida ransomware to enforce a malicious wallpaper, thereby limiting user control over system settings. If confirmed malicious, this registry change could indicate a ransomware infection, leading to further system compromise and user disruption.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\\NoChangingWallPaper\" Registry.registry_value_data = 1) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_nochangingwallpaper_filter`", "results": [{"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{AE77D3C2-78C5-6578-8007-000000003203}", "process_id": "2748", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3823004618-1971181288-2480084045-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper", "registry_key_name": "ActiveDesktop", "registry_value_data": "1", "registry_value_name": "NoChangingWallPaper", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-12-12T15:14:13", "lastTime": "2023-12-12T15:14:13"}, {"action": "modified", "dest": "ar-win-dc.attackrange.local", "process_guid": "{AE77D3C2-7AE2-6578-C007-000000003203}", "process_id": "4600", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3823004618-1971181288-2480084045-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\\NoChangingWallPaper", "registry_key_name": "ActiveDesktop", "registry_value_data": "1", "registry_value_name": "NoChangingWallPaper", "registry_value_type": "unknown", "status": "success", "user": "Administrator", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-12-12T15:23:14", "lastTime": "2023-12-12T15:23:14"}], "error": null} +{"file_name": "windows_modify_registry_default_icon_setting.yml", "description": "The following analytic detects suspicious modifications to the Windows registry's default icon settings, a technique associated with Lockbit ransomware. It leverages data from the Endpoint Registry data model, focusing on changes to registry paths under \"*HKCR\\\\*\\\\defaultIcon\\\\(Default)*\". This activity is significant as it is uncommon for normal users to modify these settings, and such changes can indicate ransomware infection or other malware. If confirmed malicious, this could lead to system defacement and signal a broader ransomware attack, potentially compromising sensitive data and system integrity.", "spl_query": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path =\"*\\\\defaultIcon\\\\(Default)*\" Registry.registry_path = \"*HKCR\\\\*\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_modify_registry_default_icon_setting_filter`", "results": [{"action": "modified", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "process_id": "852", "registry_hive": "null", "registry_path": "HKCR\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:00:52", "lastTime": "2025-12-10T05:00:52"}, {"action": "modified", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "process_id": "852", "registry_hive": "null", "registry_path": "HKCR\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:50:18", "lastTime": "2025-12-10T04:50:18"}, {"action": "modified", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "process_id": "852", "registry_hive": "null", "registry_path": "HKCR\\WOW6432Node\\CLSID\\{5F2D169D-FCFE-4A90-A89B-0EC6B8FC57B7}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:00:52", "lastTime": "2025-12-10T05:00:52"}, {"action": "modified", "dest": "win-dc-291.attackrange.local", "process_guid": "{4DF467A6-3F48-6132-1200-00000000F001}", "process_id": "852", "registry_hive": "null", "registry_path": "HKCR\\WOW6432Node\\CLSID\\{AF3459C4-D757-4643-B9C9-EE6B966BD1E9}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T04:50:18", "lastTime": "2025-12-10T04:50:18"}, {"action": "modified", "dest": "win-dc-ctus-attack-range-221.attackrange.local", "process_guid": "{FCCA13C7-394B-63C5-A305-00000000AF02}", "process_id": "3676", "registry_hive": "null", "registry_path": "HKCR\\cHpfiXA9s\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "C:\\ProgramData\\cHpfiXA9s.ico", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "2", "firstTime": "2023-01-16T11:47:23", "lastTime": "2023-01-16T11:47:23"}, {"action": "modified", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "process_id": "304", "registry_hive": "null", "registry_path": "HKCR\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:02:53", "lastTime": "2025-12-10T05:02:53"}, {"action": "modified", "dest": "win-host-5.attackrange.local", "process_guid": "{21761711-83AE-607D-1200-00000000BB01}", "process_id": "304", "registry_hive": "null", "registry_path": "HKCR\\WOW6432Node\\CLSID\\{C41EA8CD-DB89-40EF-8F8F-26FA7D57AAE7}\\DefaultIcon\\(Default)", "registry_key_name": "DefaultIcon", "registry_value_data": "%%SystemRoot%%\\system32\\shell32.dll,9", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1", "firstTime": "2025-12-10T05:02:53", "lastTime": "2025-12-10T05:02:53"}], "error": null} +{"file_name": "malicious_inprocserver32_modification.yml", "description": "The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.", "spl_query": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path=\"*\\\\CLSID\\\\{89565275-A714-4a43-912E-978B935EDCCC}\\\\InProcServer32\\\\(Default)\" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`", "results": [{"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C108-6156-D900-000000000002}", "process_id": "5832", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C10A-6156-DE00-000000000002}", "process_id": "5980", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-429.attackrange.local", "process_guid": "{5EBD8912-C10C-6156-E100-000000000002}", "process_id": "5556", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C03-6156-BE43-02000000F001}", "process_id": "8520", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C05-6156-C043-02000000F001}", "process_id": "1828", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C07-6156-C443-02000000F001}", "process_id": "2508", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C57-6156-D443-02000000F001}", "process_id": "3860", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C59-6156-D643-02000000F001}", "process_id": "3932", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C5B-6156-DA43-02000000F001}", "process_id": "4388", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C66-6156-DE43-02000000F001}", "process_id": "3356", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C68-6156-E043-02000000F001}", "process_id": "6348", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C6A-6156-E243-02000000F001}", "process_id": "4864", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C71-6156-E843-02000000F001}", "process_id": "6248", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C73-6156-EA43-02000000F001}", "process_id": "7432", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-0C75-6156-EC43-02000000F001}", "process_id": "8760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3BD-6155-CF37-02000000F001}", "process_id": "5876", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3BF-6155-D337-02000000F001}", "process_id": "6096", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B3C1-6155-D937-02000000F001}", "process_id": "6996", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50B-6155-0538-02000000F001}", "process_id": "4760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50D-6155-0738-02000000F001}", "process_id": "7340", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B50F-6155-0938-02000000F001}", "process_id": "8068", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D0-6155-2B38-02000000F001}", "process_id": "9320", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D2-6155-2D38-02000000F001}", "process_id": "3484", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B5D4-6155-2F38-02000000F001}", "process_id": "1476", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B652-6155-4938-02000000F001}", "process_id": "5256", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B654-6155-4E38-02000000F001}", "process_id": "8592", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B656-6155-5338-02000000F001}", "process_id": "5232", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6DF-6154-C816-02000000F001}", "process_id": "9136", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6E1-6154-CA16-02000000F001}", "process_id": "7640", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B6E3-6154-CC16-02000000F001}", "process_id": "8556", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B78F-6154-E916-02000000F001}", "process_id": "9532", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B792-6154-EB16-02000000F001}", "process_id": "4256", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B794-6154-ED16-02000000F001}", "process_id": "6472", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B9FC-6154-B919-02000000F001}", "process_id": "8232", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-B9FE-6154-E519-02000000F001}", "process_id": "7684", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA01-6154-061A-02000000F001}", "process_id": "6804", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA25-6154-0F1A-02000000F001}", "process_id": "1148", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA27-6154-111A-02000000F001}", "process_id": "8284", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BA29-6154-131A-02000000F001}", "process_id": "7208", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC45-6154-641A-02000000F001}", "process_id": "4740", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC47-6154-661A-02000000F001}", "process_id": "9344", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC49-6154-691A-02000000F001}", "process_id": "9176", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC7C-6154-761A-02000000F001}", "process_id": "8016", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC7E-6154-781A-02000000F001}", "process_id": "8960", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BC80-6154-7A1A-02000000F001}", "process_id": "8240", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFBE-6155-AB39-02000000F001}", "process_id": "8412", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFC1-6155-AD39-02000000F001}", "process_id": "7236", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-BFC3-6155-AF39-02000000F001}", "process_id": "6504", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0D6-6155-DE39-02000000F001}", "process_id": "9908", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0D8-6155-E039-02000000F001}", "process_id": "7960", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C0DA-6155-E239-02000000F001}", "process_id": "6836", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C17B-6154-181B-02000000F001}", "process_id": "4132", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C17E-6154-1A1B-02000000F001}", "process_id": "6760", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C180-6154-1C1B-02000000F001}", "process_id": "3584", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19A-6154-211B-02000000F001}", "process_id": "10220", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19C-6154-231B-02000000F001}", "process_id": "7744", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C19E-6154-251B-02000000F001}", "process_id": "6788", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AA-6154-2D1B-02000000F001}", "process_id": "6796", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AC-6154-2F1B-02000000F001}", "process_id": "5200", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C1AE-6154-311B-02000000F001}", "process_id": "9372", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C290-6155-1C3A-02000000F001}", "process_id": "5916", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C292-6155-1E3A-02000000F001}", "process_id": "9128", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-C294-6155-203A-02000000F001}", "process_id": "8552", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23A-6155-3E3E-02000000F001}", "process_id": "8200", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23C-6155-403E-02000000F001}", "process_id": "9412", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E23E-6155-423E-02000000F001}", "process_id": "4948", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E4FE-6155-C33E-02000000F001}", "process_id": "9860", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E500-6155-C53E-02000000F001}", "process_id": "8404", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-E502-6155-C73E-02000000F001}", "process_id": "9976", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA6C-6156-EE5F-02000000F001}", "process_id": "9912", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA6E-6156-F05F-02000000F001}", "process_id": "5244", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-469.attackrange.local", "process_guid": "{8B6011A9-FA70-6156-F85F-02000000F001}", "process_id": "8888", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\\Wow6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "3"}, {"action": "modified", "dest": "win-dc-970.attackrange.local", "process_guid": "{CBEA6AB7-5D70-6196-5A7D-000000000E02}", "process_id": "1776", "registry_hive": "HKEY_CURRENT_USER", "registry_path": "HKU\\S-1-5-21-492600379-461247840-3315989157-500_Classes\\WOW6432Node\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)", "registry_key_name": "InProcServer32", "registry_value_data": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\dynwrapx.dll", "registry_value_name": "(Default)", "registry_value_type": "unknown", "status": "success", "user": "unknown", "vendor_product": "Microsoft Sysmon", "count": "1"}], "error": null} diff --git a/total_replay/readme.md b/total_replay/readme.md index 7fa317bc..5061ea80 100644 --- a/total_replay/readme.md +++ b/total_replay/readme.md @@ -118,6 +118,73 @@ From there, you can choose whether to replay only detection GUIDs, only analytic C. TOTAL-REPLAY downloads the required Attack Data each time you execute or replay data during detection testing or development. To help reduce disk space usage, the tool generates a cached .yml file for every downloaded dataset. You can then use the `local_data_path` parameter to replay the cached data, allowing you to avoid downloading the same Attack Data again. +--- + +## Run Detections + +In addition to replaying attack data, TOTAL-REPLAY includes a detection runner tool (`run_detections.py`) that executes SPL queries from Security Content detection YAML files directly against your Splunk instance and outputs results to a JSONL file. + +### Environment Variables + +The detection runner requires the following environment variables (or config file settings): + +| Environment Variable | Description | +|------------------------|--------------------------------------| +| **SPLUNK_HOST** | Splunk server IP/hostname | +| **SPLUNK_USERNAME** | Splunk username for REST API auth | +| **SPLUNK_PASSWORD** | Splunk password for REST API auth | + +```bash +export SPLUNK_HOST= +export SPLUNK_USERNAME= +export SPLUNK_PASSWORD= +``` + +Alternatively, configure these in `configuration/config.yml`: +```yaml +splunk: + host: "your-splunk-server" + username: "admin" + password: "your-password" +``` + +### Usage Examples + +```bash +# Run all detections +python3 run_detections.py --all + +# Filter by detection name +python3 run_detections.py -n 'Windows Remote Services, CMLUA Or CMSTPLUA UAC Bypass' + +# Filter by MITRE ATT&CK technique ID +python3 run_detections.py -tid 'T1021, T1059' + +# Filter by detection GUID +python3 run_detections.py -g '01d29b48-ff6f-11eb-b81e-acde48001123' + +# Filter by analytic story +python3 run_detections.py -as 'AgentTesla, Remcos' + +# Custom output file and time range +python3 run_detections.py -as 'AgentTesla' --output results.jsonl --earliest -24h --latest now +``` + +### Options + +| Option | Description | +|---------------------------|--------------------------------------------------| +| `-n, --name` | Comma-separated detection names or filenames | +| `-tid, --technique_id` | Comma-separated MITRE ATT&CK technique IDs | +| `-g, --guid` | Comma-separated detection GUIDs | +| `-as, --analytic_story` | Comma-separated analytic stories | +| `-a, --all` | Run all detection YAML files | +| `-o, --output` | Output JSONL file path (default: detection_results.jsonl) | +| `-e, --earliest` | Earliest time for search (default: 0 = all time) | +| `-l, --latest` | Latest time for search (default: now) | + +--- + ### Other For replaying captured datasets or event logs during detection development or testing outside of the Splunk Security Content or Splunk Attack Data GitHub repositories, we recommend using the built-in replay.py feature provided by either Splunk Attack Range or Attack Data. diff --git a/total_replay/run_detections.py b/total_replay/run_detections.py new file mode 100644 index 00000000..a408bad7 --- /dev/null +++ b/total_replay/run_detections.py @@ -0,0 +1,516 @@ +""" +author: Claude Code +description: A utility tool to run SPL queries from security content detection YAML files against Splunk +and output results to a JSONL file. + +Splunk connection settings can be configured in two ways: + +1. Config file (configuration/config.yml): + splunk: + host: "your-splunk-server" + username: "admin" + password: "your-password" + +2. Environment variables (override config file values): + - SPLUNK_HOST: Splunk server IP/hostname + - SPLUNK_USERNAME: Splunk username for REST API authentication + - SPLUNK_PASSWORD: Splunk password for REST API authentication +""" + +import typer +import os +import sys +import yaml +import json +import requests +import time +import urllib.parse +from datetime import datetime +from pathlib import Path +from colorama import Fore, Style, init +from urllib3 import disable_warnings + +# Initialize colorama +init() + +# Disable SSL warnings +disable_warnings() + + +class ColorPrint: + """Simple color print utility""" + @staticmethod + def print_info_fg(msg): + print(Fore.GREEN + msg + Style.RESET_ALL) + + @staticmethod + def print_error_fg(msg): + print(Fore.RED + msg + Style.RESET_ALL) + + @staticmethod + def print_warning_fg(msg): + print(Fore.YELLOW + msg + Style.RESET_ALL) + + @staticmethod + def print_success_fg(msg): + print(Fore.CYAN + msg + Style.RESET_ALL) + + @staticmethod + def print_cyan_fg(msg): + print(Fore.CYAN + msg + Style.RESET_ALL) + + +class DetectionRunner: + """Class to run SPL queries from detection YAML files""" + + def __init__(self): + self.curdir = os.path.dirname(os.path.abspath(__file__)) + self.config = self.load_config() + + def normalized_args_tolist(self, input_args: str) -> list: + """Convert comma-separated string to list""" + return [i.strip() for i in input_args.split(',')] + + def load_config(self) -> dict: + """Load configuration from config.yml""" + config_path = os.path.join(self.curdir, "configuration", "config.yml") + try: + with open(config_path, "r") as f: + config = yaml.safe_load(f) + if config is None: + ColorPrint.print_error_fg(f"[-][. ERROR]: Configuration file is empty: {config_path}") + return {} + return config + except FileNotFoundError: + ColorPrint.print_error_fg(f"[-][. ERROR]: Configuration file not found: {config_path}") + return {} + except yaml.YAMLError as e: + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to parse configuration file: {e}") + return {} + + def read_config_settings(self, setting_field: str) -> str: + """Read a specific setting from config""" + if not self.config: + return None + return self.config.get("settings", {}).get(setting_field) + + def load_splunk_config(self) -> dict: + """Load Splunk connection settings from config file and/or environment variables. + + Environment variables take precedence over config file values. + """ + ColorPrint.print_info_fg("[+][. INFO]: ... Loading Splunk connection settings ...") + + # First, try to load from config file + splunk_config = self.config.get("splunk", {}) + + settings = { + "host": splunk_config.get("host", ""), + "username": splunk_config.get("username", ""), + "password": splunk_config.get("password", "") + } + + # Environment variables override config file values + env_mappings = { + "SPLUNK_HOST": "host", + "SPLUNK_USERNAME": "username", + "SPLUNK_PASSWORD": "password" + } + + for env_var, key in env_mappings.items(): + env_value = os.environ.get(env_var) + if env_value: + settings[key] = env_value + ColorPrint.print_info_fg(f"[+][. INFO]: ... Using {env_var} from environment variable") + + # Check for missing required settings + missing = [k for k, v in settings.items() if not v] + + if missing: + ColorPrint.print_error_fg(f"[-][. ERROR]: Missing Splunk settings: {', '.join(missing)}") + ColorPrint.print_error_fg("[-][. ERROR]: Set values in config.yml or use environment variables:") + ColorPrint.print_error_fg("[-][. ERROR]: SPLUNK_HOST, SPLUNK_USERNAME, SPLUNK_PASSWORD") + return None + + ColorPrint.print_success_fg("[+][SUCCESS]: ... Splunk connection settings loaded successfully") + return settings + + def read_yaml_file(self, file_path: str) -> dict: + """Read and parse a YAML file""" + try: + with open(file_path, "r") as f: + return yaml.safe_load(f) + except Exception as e: + return None + + def get_all_yaml_files(self) -> list: + """Get all YAML files from security content detections directory""" + security_content_dir_path = self.read_config_settings("security_content_detection_path") + if security_content_dir_path is None: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to read security_content_detection_path from config") + return [] + + expanded_path = os.path.expanduser(security_content_dir_path) + if not os.path.isdir(expanded_path): + ColorPrint.print_error_fg(f"[-][. ERROR]: Detection directory does not exist: {expanded_path}") + return [] + + all_yaml_files = [] + for root, dirs, files in os.walk(expanded_path): + if "deprecated" in dirs: + dirs.remove("deprecated") + for file in files: + if file.endswith((".yaml", ".yml")): + all_yaml_files.append(os.path.join(root, file)) + + return all_yaml_files + + def filter_by_name(self, yaml_files: list, names: list) -> list: + """Filter YAML files by detection name or filename""" + filtered = [] + names_lower = [n.lower() for n in names] + + for file_path in yaml_files: + file_name = os.path.basename(file_path).replace(".yml", "").replace(".yaml", "") + + # Check filename match + if file_name.lower() in names_lower: + filtered.append(file_path) + continue + + # Check detection name in YAML + yaml_data = self.read_yaml_file(file_path) + if yaml_data and yaml_data.get("name", "").lower() in names_lower: + filtered.append(file_path) + + return filtered + + def filter_by_technique_id(self, yaml_files: list, technique_ids: list) -> list: + """Filter YAML files by MITRE ATT&CK technique ID""" + filtered = [] + tids_lower = [t.lower() for t in technique_ids] + + for file_path in yaml_files: + yaml_data = self.read_yaml_file(file_path) + if yaml_data: + mitre_ids = yaml_data.get("tags", {}).get("mitre_attack_id", []) + if mitre_ids: + for mid in mitre_ids: + if mid.lower() in tids_lower: + filtered.append(file_path) + break + + return filtered + + def filter_by_guid(self, yaml_files: list, guids: list) -> list: + """Filter YAML files by detection GUID""" + filtered = [] + guids_lower = [g.lower() for g in guids] + + for file_path in yaml_files: + yaml_data = self.read_yaml_file(file_path) + if yaml_data: + detection_id = yaml_data.get("id", "").lower() + if detection_id in guids_lower: + filtered.append(file_path) + + return filtered + + def filter_by_analytic_story(self, yaml_files: list, stories: list) -> list: + """Filter YAML files by analytic story""" + filtered = [] + stories_lower = [s.lower() for s in stories] + + for file_path in yaml_files: + yaml_data = self.read_yaml_file(file_path) + if yaml_data: + analytic_stories = yaml_data.get("tags", {}).get("analytic_story", []) + if analytic_stories: + for story in analytic_stories: + if story.lower() in stories_lower: + filtered.append(file_path) + break + + return filtered + + def run_splunk_search(self, splunk_host: str, username: str, password: str, + spl_query: str, earliest_time: str = "-24h", latest_time: str = "now") -> dict: + """Run an SPL query on Splunk and return results""" + + # Create search job + search_url = f"https://{splunk_host}:8089/services/search/jobs" + + search_data = { + "search": f"search {spl_query}" if not spl_query.strip().startswith("|") else spl_query, + "earliest_time": earliest_time, + "latest_time": latest_time, + "output_mode": "json" + } + + max_retries = 3 + retry_delay = 30 + + for attempt in range(1, max_retries + 1): + try: + # Create the search job + response = requests.post( + search_url, + data=search_data, + auth=(username, password), + verify=False, + timeout=60 + ) + response.raise_for_status() + + job_response = response.json() + job_sid = job_response.get("sid") + + if not job_sid: + return {"error": "Failed to get search job SID", "results": []} + + # Poll for job completion + job_status_url = f"https://{splunk_host}:8089/services/search/jobs/{job_sid}" + + while True: + status_response = requests.get( + job_status_url, + params={"output_mode": "json"}, + auth=(username, password), + verify=False, + timeout=60 + ) + status_response.raise_for_status() + + status_data = status_response.json() + dispatch_state = status_data.get("entry", [{}])[0].get("content", {}).get("dispatchState", "") + + if dispatch_state == "DONE": + break + elif dispatch_state == "FAILED": + return {"error": "Search job failed", "results": []} + + time.sleep(2) + + # Get results + results_url = f"https://{splunk_host}:8089/services/search/jobs/{job_sid}/results" + results_response = requests.get( + results_url, + params={"output_mode": "json", "count": 0}, + auth=(username, password), + verify=False, + timeout=120 + ) + results_response.raise_for_status() + + results_data = results_response.json() + return {"error": None, "results": results_data.get("results", [])} + + except requests.exceptions.Timeout as e: + if attempt < max_retries: + ColorPrint.print_warning_fg(f"[!][WARNING]: Request timed out (attempt {attempt}/{max_retries}). Retrying in {retry_delay} seconds...") + time.sleep(retry_delay) + else: + return {"error": f"Request timed out after {max_retries} attempts: {e}", "results": []} + except requests.exceptions.ConnectionError as e: + return {"error": f"Connection error: {e}", "results": []} + except requests.exceptions.HTTPError as e: + return {"error": f"HTTP error: {e.response.status_code} - {e.response.text}", "results": []} + except Exception as e: + return {"error": f"Unexpected error: {e}", "results": []} + + return {"error": "Max retries exceeded", "results": []} + + def process_detections(self, yaml_files: list, output_file: str, earliest_time: str, latest_time: str) -> None: + """Process detection YAML files and run their SPL queries""" + + ColorPrint.print_cyan_fg("\n" + "=" * 80) + ColorPrint.print_cyan_fg(" DETECTION RUNNER - Running SPL queries from Security Content") + ColorPrint.print_cyan_fg("=" * 80 + "\n") + + # Load Splunk connection settings + splunk_settings = self.load_splunk_config() + if not splunk_settings: + return + + splunk_host = splunk_settings['host'] + username = splunk_settings['username'] + password = splunk_settings['password'] + + if not yaml_files: + ColorPrint.print_error_fg("[-][. ERROR]: No YAML files to process") + return + + total_files = len(yaml_files) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {total_files} YAML files to process") + + # Process each file and write results to JSONL + processed = 0 + skipped = 0 + errors = 0 + + with open(output_file, "w") as out_f: + for ctr, file_path in enumerate(yaml_files): + ColorPrint.print_info_fg(f"[+][. INFO]: ... Processing {ctr+1}/{total_files}: {file_path}") + + yaml_data = self.read_yaml_file(file_path) + if yaml_data is None: + ColorPrint.print_warning_fg(f"[!][WARNING]: ... Skipping invalid YAML file: {file_path}") + skipped += 1 + continue + + # Extract required fields + file_name = os.path.basename(file_path) + description = yaml_data.get("description", "No description available") + spl_query = yaml_data.get("search", None) + + if not spl_query: + ColorPrint.print_warning_fg(f"[!][WARNING]: ... No SPL query found in: {file_name}") + skipped += 1 + continue + + ColorPrint.print_info_fg(f"[+][. INFO]: ... Running SPL query for: {yaml_data.get('name', file_name)}") + + # Build the exact query that will be sent to Splunk + exact_query = f"search {spl_query}" if not spl_query.strip().startswith("|") else spl_query + ColorPrint.print_info_fg(f"[+][. INFO]: ... SPL Query: {exact_query}") + + # Run the SPL query + search_result = self.run_splunk_search( + splunk_host, username, password, + spl_query, earliest_time, latest_time + ) + + if search_result["error"]: + ColorPrint.print_error_fg(f"[-][. ERROR]: Query failed: {search_result['error']}") + errors += 1 + else: + ColorPrint.print_success_fg(f"[+][SUCCESS]: ... Got {len(search_result['results'])} results") + processed += 1 + + # Create output record + output_record = { + "file_name": file_name, + "description": description, + "spl_query": spl_query, + "results": search_result["results"], + "error": search_result["error"] + } + + # Write to JSONL + out_f.write(json.dumps(output_record) + "\n") + + ColorPrint.print_cyan_fg("\n" + "=" * 80) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Processing complete!") + ColorPrint.print_info_fg(f"[+][. INFO]: ... Total files: {total_files}") + ColorPrint.print_info_fg(f"[+][. INFO]: ... Processed: {processed}") + ColorPrint.print_info_fg(f"[+][. INFO]: ... Skipped: {skipped}") + ColorPrint.print_info_fg(f"[+][. INFO]: ... Errors: {errors}") + ColorPrint.print_success_fg(f"[+][SUCCESS]: ... Results written to: {output_file}") + ColorPrint.print_cyan_fg("=" * 80 + "\n") + + +def main(): + app = typer.Typer() + + @app.command() + def run( + detection_name: str = typer.Option( + None, "--name", "-n", + help="Comma-separated list of detection names or YAML filenames.\n\n" + ), + technique_id: str = typer.Option( + None, "--technique_id", "-tid", + help="Comma-separated list of MITRE ATT&CK technique IDs.\n\n" + ), + guid: str = typer.Option( + None, "--guid", "-g", + help="Comma-separated list of detection GUIDs.\n\n" + ), + analytic_story: str = typer.Option( + None, "--analytic_story", "-as", + help="Comma-separated list of analytic stories.\n\n" + ), + all_detections: bool = typer.Option( + False, "--all", "-a", + help="Run SPL queries for ALL detection YAML files.\n\n" + ), + output_file: str = typer.Option( + "detection_results.jsonl", + "--output", "-o", + help="Output JSONL file path for results" + ), + earliest_time: str = typer.Option( + "0", + "--earliest", "-e", + help="Earliest time for SPL search (e.g., 0 for all time, -24h, -7d, 2024-01-01T00:00:00)" + ), + latest_time: str = typer.Option( + "now", + "--latest", "-l", + help="Latest time for SPL search (e.g., now, -1h, 2024-01-01T23:59:59)" + ), + ): + """ + Run SPL queries from security content detection YAML files against Splunk. + + Splunk connection can be configured via config.yml or environment variables. + Environment variables (SPLUNK_HOST, SPLUNK_USERNAME, SPLUNK_PASSWORD) override config file. + + Examples: + python3 run_detections.py --all + python3 run_detections.py -n 'Windows Remote Services' + python3 run_detections.py -tid 'T1021, T1059' + python3 run_detections.py -as 'AgentTesla' --output results.jsonl + """ + runner = DetectionRunner() + + # Get all YAML files first + all_yaml_files = runner.get_all_yaml_files() + if not all_yaml_files: + return + + yaml_files_to_process = [] + + if detection_name: + ColorPrint.print_info_fg("[+][. INFO]: ... Filtering by detection name ...") + names = runner.normalized_args_tolist(detection_name) + yaml_files_to_process = runner.filter_by_name(all_yaml_files, names) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {len(yaml_files_to_process)} matching detections") + + elif technique_id: + ColorPrint.print_info_fg("[+][. INFO]: ... Filtering by MITRE ATT&CK technique ID ...") + tids = runner.normalized_args_tolist(technique_id) + yaml_files_to_process = runner.filter_by_technique_id(all_yaml_files, tids) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {len(yaml_files_to_process)} matching detections") + + elif guid: + ColorPrint.print_info_fg("[+][. INFO]: ... Filtering by detection GUID ...") + guids = runner.normalized_args_tolist(guid) + yaml_files_to_process = runner.filter_by_guid(all_yaml_files, guids) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {len(yaml_files_to_process)} matching detections") + + elif analytic_story: + ColorPrint.print_info_fg("[+][. INFO]: ... Filtering by analytic story ...") + stories = runner.normalized_args_tolist(analytic_story) + yaml_files_to_process = runner.filter_by_analytic_story(all_yaml_files, stories) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {len(yaml_files_to_process)} matching detections") + + elif all_detections: + ColorPrint.print_info_fg("[+][. INFO]: ... Processing ALL detection YAML files ...") + yaml_files_to_process = all_yaml_files + + else: + ColorPrint.print_error_fg("[-][. ERROR]: No filter specified. Use --all for all detections, or filter by --name, --technique_id, --guid, or --analytic_story") + return + + if not yaml_files_to_process: + ColorPrint.print_error_fg("[-][. ERROR]: No matching detections found") + return + + runner.process_detections(yaml_files_to_process, output_file, earliest_time, latest_time) + + app() + + +if __name__ == "__main__": + main() diff --git a/total_replay/total_replay.py b/total_replay/total_replay.py index 3f31a393..3c323ae7 100644 --- a/total_replay/total_replay.py +++ b/total_replay/total_replay.py @@ -11,6 +11,7 @@ import os import sys import yaml +import logging from rich.live import Live from rich.layout import Layout from rich.panel import Panel @@ -21,6 +22,16 @@ from utility.utility_helper import UtilityHelper +# Configure logging +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(name)s - %(levelname)s - %(message)s', + handlers=[ + logging.StreamHandler(sys.stderr) + ] +) +logger = logging.getLogger(__name__) + def main(): @@ -53,9 +64,11 @@ def input_helps( help="file path that contains security content detection guid.\n\n "), file_detection_analytic_story: str = typer.Option(None, "--file_detection_analytic_story", "-fas", help="file path that contains security content detection analytic story.\n\n "), - file_detection_greedy: str = typer.Option(None, "--file_detection_greedy", "-fgr", + file_detection_greedy: str = typer.Option(None, "--file_detection_greedy", "-fgr", help="file path that contains security content detection analytic story, technique ID, guid and detection name.\n\n "), - index_value: str = typer.Option("test", "--index", "-i", + all_detections: bool = typer.Option(False, "--all", "-a", + help="Replay attack data for ALL detection YAML files in security content.\n\n "), + index_value: str = typer.Option("test", "--index", "-i", help="Index to replay the attack data. Set this first if you want to use a different index.\n\n ", hidden=True), ): @@ -64,110 +77,236 @@ def input_helps( ### via console if detection_name: ColorPrint.print_yellow_fg("[+][. INFO]: Searching For both Security Content Detection Name and .YML Filename ...") + logger.info(f"Processing detection name search: {detection_name}") normalized_list_args = uh.normalized_args_tolist(detection_name) + if not normalized_list_args: + logger.error("Failed to parse detection name argument") + ColorPrint.print_error_fg("[+][. ERROR]: Failed to parse detection name argument") + return generated_guid = uuid.uuid4() marker_uid = "detection_name_replay_" + str(generated_guid) - uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) - uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) + try: + uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) + uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing detection name replay: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process detection name replay: {e}") elif guid: ColorPrint.print_yellow_fg("[+][. INFO]: Searching For Security Content Detection GUID ...") + logger.info(f"Processing GUID search: {guid}") normalized_list_args = uh.normalized_args_tolist(guid) + if not normalized_list_args: + logger.error("Failed to parse GUID argument") + ColorPrint.print_error_fg("[+][. ERROR]: Failed to parse GUID argument") + return generated_guid = uuid.uuid4() marker_uid = "guid_replay_" + str(generated_guid) - uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) + try: + uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing GUID replay: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process GUID replay: {e}") elif technique_id: ColorPrint.print_yellow_fg("[+][. INFO]: Searching For Security Content Detection Mitre ATT&CK Technique ID ...") + logger.info(f"Processing technique ID search: {technique_id}") normalized_list_args = uh.normalized_args_tolist(technique_id) + if not normalized_list_args: + logger.error("Failed to parse technique ID argument") + ColorPrint.print_error_fg("[+][. ERROR]: Failed to parse technique ID argument") + return generated_guid = uuid.uuid4() marker_uid = "technique_id_replay_" + str(generated_guid) - uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) + try: + uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing technique ID replay: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process technique ID replay: {e}") elif analytic_story: ColorPrint.print_yellow_fg("[+][. INFO]: Searching For Security Content Analytic Story ...") + logger.info(f"Processing analytic story search: {analytic_story}") normalized_list_args = uh.normalized_args_tolist(analytic_story) + if not normalized_list_args: + logger.error("Failed to parse analytic story argument") + ColorPrint.print_error_fg("[+][. ERROR]: Failed to parse analytic story argument") + return generated_guid = uuid.uuid4() marker_uid = "analytic_story_replay_" + str(generated_guid) - uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) + try: + uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing analytic story replay: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process analytic story replay: {e}") ### by file input elif file_detection_name: - segregate = uh.normalized_file_args(file_detection_name) - generated_guid = uuid.uuid4() - marker_uid = "file_detection_name_replay_" + str(generated_guid) + logger.info(f"Processing detection names from file: {file_detection_name}") + if not os.path.isfile(file_detection_name): + logger.error(f"Input file not found: {file_detection_name}") + ColorPrint.print_error_fg(f"[+][. ERROR]: Input file not found: {file_detection_name}") + return + try: + segregate = uh.normalized_file_args(file_detection_name) + if not segregate: + logger.warning(f"No valid entries found in file: {file_detection_name}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_detection_name}") + return + generated_guid = uuid.uuid4() + marker_uid = "file_detection_name_replay_" + str(generated_guid) - if "detection_filename" in segregate: - normalized_list_args = segregate['detection_filename'] - uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) - - if "detection_and_analytic_story_name" in segregate: - normalized_list_args = segregate['detection_and_analytic_story_name'] - uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) + if "detection_filename" in segregate: + normalized_list_args = segregate['detection_filename'] + uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) + + if "detection_and_analytic_story_name" in segregate: + normalized_list_args = segregate['detection_and_analytic_story_name'] + uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing file detection name: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process file: {e}") elif file_detection_tid: - segregate = uh.normalized_file_args(file_detection_tid) - - if "mitre_attack_tid" in segregate: - normalized_list_args = segregate['mitre_attack_tid'] - generated_guid = uuid.uuid4() - marker_uid = "file_detection_tid_replay_" + str(generated_guid) - uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) + logger.info(f"Processing technique IDs from file: {file_detection_tid}") + if not os.path.isfile(file_detection_tid): + logger.error(f"Input file not found: {file_detection_tid}") + ColorPrint.print_error_fg(f"[+][. ERROR]: Input file not found: {file_detection_tid}") + return + try: + segregate = uh.normalized_file_args(file_detection_tid) + if not segregate: + logger.warning(f"No valid entries found in file: {file_detection_tid}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_detection_tid}") + return + + if "mitre_attack_tid" in segregate: + normalized_list_args = segregate['mitre_attack_tid'] + generated_guid = uuid.uuid4() + marker_uid = "file_detection_tid_replay_" + str(generated_guid) + uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) + else: + logger.warning("No MITRE ATT&CK technique IDs found in file") + ColorPrint.print_warning_fg("[!][WARNING]: No MITRE ATT&CK technique IDs found in file") + except Exception as e: + logger.error(f"Error processing technique ID file: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process file: {e}") elif file_detection_guid: - segregate = uh.normalized_file_args(file_detection_guid) - - if "guid" in segregate: - normalized_list_args = segregate['guid'] - generated_guid = uuid.uuid4() - marker_uid = "file_detection_guid_replay_" + str(generated_guid) - uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) + logger.info(f"Processing GUIDs from file: {file_detection_guid}") + if not os.path.isfile(file_detection_guid): + logger.error(f"Input file not found: {file_detection_guid}") + ColorPrint.print_error_fg(f"[+][. ERROR]: Input file not found: {file_detection_guid}") + return + try: + segregate = uh.normalized_file_args(file_detection_guid) + if not segregate: + logger.warning(f"No valid entries found in file: {file_detection_guid}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_detection_guid}") + return + + if "guid" in segregate: + normalized_list_args = segregate['guid'] + generated_guid = uuid.uuid4() + marker_uid = "file_detection_guid_replay_" + str(generated_guid) + uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) + else: + logger.warning("No GUIDs found in file") + ColorPrint.print_warning_fg("[!][WARNING]: No GUIDs found in file") + except Exception as e: + logger.error(f"Error processing GUID file: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process file: {e}") elif file_detection_analytic_story: - - segregate = uh.normalized_file_args(file_detection_analytic_story) - - if "detection_and_analytic_story_name" in segregate: - normalized_list_args = segregate['detection_and_analytic_story_name'] - generated_guid = uuid.uuid4() - marker_uid = "file_detection_analytic_story_replay_" + str(generated_guid) - uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) + logger.info(f"Processing analytic stories from file: {file_detection_analytic_story}") + if not os.path.isfile(file_detection_analytic_story): + logger.error(f"Input file not found: {file_detection_analytic_story}") + ColorPrint.print_error_fg(f"[+][. ERROR]: Input file not found: {file_detection_analytic_story}") + return + try: + segregate = uh.normalized_file_args(file_detection_analytic_story) + if not segregate: + logger.warning(f"No valid entries found in file: {file_detection_analytic_story}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_detection_analytic_story}") + return + + if "detection_and_analytic_story_name" in segregate: + normalized_list_args = segregate['detection_and_analytic_story_name'] + generated_guid = uuid.uuid4() + marker_uid = "file_detection_analytic_story_replay_" + str(generated_guid) + uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) + else: + logger.warning("No analytic story names found in file") + ColorPrint.print_warning_fg("[!][WARNING]: No analytic story names found in file") + except Exception as e: + logger.error(f"Error processing analytic story file: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process file: {e}") elif file_detection_greedy: - segregate = uh.normalized_file_args(file_detection_greedy) - generated_guid = uuid.uuid4() - marker_uid = "file_detection_greedy_replay_" + str(generated_guid) - - if "detection_filename" in segregate: - ColorPrint.print_info_fg("[+] greedy replay... [detection_filename]") - normalized_list_args = segregate['detection_filename'] - uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) - - if "detection_and_analytic_story_name" in segregate: - ColorPrint.print_info_fg("[+] greedy replay... [detection_and_analytic_story_name]") - normalized_list_args = segregate['detection_and_analytic_story_name'] - uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) - uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) - - if "mitre_attack_id" in segregate: - ColorPrint.print_info_fg("[+] greedy replay... [mitre_attack_id]") - normalized_list_args = segregate['mitre_attack_id'] - uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) - - if "guid" in segregate: - ColorPrint.print_info_fg("[+] greedy replay... [mitre_attack_id]") - normalized_list_args = segregate['guid'] - uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) - + logger.info(f"Processing greedy mode from file: {file_detection_greedy}") + if not os.path.isfile(file_detection_greedy): + logger.error(f"Input file not found: {file_detection_greedy}") + ColorPrint.print_error_fg(f"[+][. ERROR]: Input file not found: {file_detection_greedy}") + return + try: + segregate = uh.normalized_file_args(file_detection_greedy) + if not segregate: + logger.warning(f"No valid entries found in file: {file_detection_greedy}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_detection_greedy}") + return + generated_guid = uuid.uuid4() + marker_uid = "file_detection_greedy_replay_" + str(generated_guid) + + if "detection_filename" in segregate: + ColorPrint.print_info_fg("[+] greedy replay... [detection_filename]") + normalized_list_args = segregate['detection_filename'] + uh.process_replay_attack_data_by_file_name("file_name", normalized_list_args, index_value, marker_uid) + + if "detection_and_analytic_story_name" in segregate: + ColorPrint.print_info_fg("[+] greedy replay... [detection_and_analytic_story_name]") + normalized_list_args = segregate['detection_and_analytic_story_name'] + uh.process_replay_attack_data("name", normalized_list_args, index_value, marker_uid) + uh.process_replay_attack_data("analytic_story", normalized_list_args, index_value, marker_uid) + + if "mitre_attack_id" in segregate: + ColorPrint.print_info_fg("[+] greedy replay... [mitre_attack_id]") + normalized_list_args = segregate['mitre_attack_id'] + uh.process_replay_attack_data("mitre_attack_id", normalized_list_args, index_value, marker_uid) + + if "guid" in segregate: + ColorPrint.print_info_fg("[+] greedy replay... [guid]") + normalized_list_args = segregate['guid'] + uh.process_replay_attack_data("id", normalized_list_args, index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing greedy file: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process file: {e}") elif local_data_path: - uh.process_local_yaml_cache(local_data_path, index_value) - + logger.info(f"Processing local cache from: {local_data_path}") + try: + uh.process_local_yaml_cache(local_data_path, index_value) + except Exception as e: + logger.error(f"Error processing local cache: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process local cache: {e}") + + elif all_detections: + ColorPrint.print_yellow_fg("[+][. INFO]: Replaying attack data for ALL detection YAML files ...") + logger.info("Processing ALL detection YAML files") + generated_guid = uuid.uuid4() + marker_uid = "all_detections_replay_" + str(generated_guid) + try: + uh.process_replay_all_detections(index_value, marker_uid) + except Exception as e: + logger.error(f"Error processing all detections replay: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[+][. ERROR]: Failed to process all detections replay: {e}") else: - ColorPrint.print_error_fg("[+] [STATUS]: [ERROR] invalid inputs\n") + logger.error("No valid input provided. Use --help for usage information.") + ColorPrint.print_error_fg("[+][. ERROR]: No valid input provided. Use --help for usage information.\n") + return - ColorPrint.print_success_fg("Thank you... <(^_^)>") + ColorPrint.print_success_fg("Thank you... <(^_^)>") + logger.info("Total replay completed successfully") app() diff --git a/total_replay/utility/utility_helper.py b/total_replay/utility/utility_helper.py index 2deea2d9..2d9a71c9 100644 --- a/total_replay/utility/utility_helper.py +++ b/total_replay/utility/utility_helper.py @@ -12,12 +12,14 @@ import sys import yaml import platform +import logging from pathlib import Path from colorama import Fore, Back, Style, init import datetime import json import requests import subprocess +import time import typer import uuid import re @@ -28,6 +30,9 @@ from utility.color_print import ColorPrint import json +# Configure module-level logger +logger = logging.getLogger(__name__) + class UtilityHelper: def __init__(self): @@ -47,13 +52,40 @@ def get_config_file_path(self)->str: return self.config_file_path def load_config(self)->str: - with open(self.get_config_file_path(), "r") as file: - return yaml.safe_load(file) + config_path = self.get_config_file_path() + try: + with open(config_path, "r") as file: + config = yaml.safe_load(file) + if config is None: + logger.error(f"Configuration file is empty: {config_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Configuration file is empty: {config_path}") + return {} + return config + except FileNotFoundError: + logger.error(f"Configuration file not found: {config_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Configuration file not found: {config_path}") + return {} + except yaml.YAMLError as e: + logger.error(f"Failed to parse configuration file: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to parse configuration file: {e}") + return {} + except Exception as e: + logger.error(f"Unexpected error loading configuration: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[-][. ERROR]: Unexpected error loading configuration: {e}") + return {} def read_config_settings(self, setting_field:str, key_tag="settings")->str: cfg = self.load_config() - config_field = cfg[key_tag][setting_field] - return config_field + if not cfg: + logger.error("Failed to load configuration") + return None + try: + config_field = cfg[key_tag][setting_field] + return config_field + except KeyError: + logger.error(f"Configuration key not found: {key_tag}.{setting_field}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Configuration key not found: {key_tag}.{setting_field}") + return None ############################################# ### helper functions @@ -126,66 +158,91 @@ def footer_divider(self,footer:str): def load_environment_variables(self)->dict: """Load required environment variables for Splunk connection.""" ColorPrint.print_info_fg("[+][. INFO]: ... Checking SPLUNK HOST and HEC_TOKEN ENV VARIABLE ...") + logger.debug("Loading environment variables for Splunk connection") required_vars = ['SPLUNK_HOST', 'SPLUNK_HEC_TOKEN'] env_vars = {} + missing_vars = [] for var in required_vars: value = os.environ.get(var) if not value: - ColorPrint.print_error_fg(f"[-][. ERROR]: ... Environment variable {var} is required but not set") - return {} - #raise ValueError(f"[-][. ERROR]: Environment variable {var} is required but not set") - env_vars[var.lower().replace('splunk_', '')] = value + missing_vars.append(var) + else: + env_vars[var.lower().replace('splunk_', '')] = value + + if missing_vars: + error_msg = f"Required environment variable(s) not set: {', '.join(missing_vars)}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + ColorPrint.print_error_fg("[-][. ERROR]: Please set SPLUNK_HOST and SPLUNK_HEC_TOKEN environment variables") + return {} + + logger.debug("Environment variables loaded successfully") return env_vars def normalized_args_tolist(self, input_args:str)->list: return [i.strip() for i in input_args.split(',')] def parse_needed_detection_name(self, normalized_args_list:list)->list: - + """Parse and find detection YAML files by filename.""" + logger.debug(f"Parsing detection names: {normalized_args_list}") + ColorPrint.print_info_fg(f'[+][. INFO]: ... Enumerating detection .yml file name ... []') security_content_dir_path = self.read_config_settings("security_content_detection_path") - if not os.path.isdir(os.path.expanduser(security_content_dir_path)): - ColorPrint.print_error_fg("[+][. ERROR]: The security Content folder path in config is invalid or not exist.") - return - - search_count= 0 + if security_content_dir_path is None: + logger.error("Failed to read security_content_detection_path from config") + return [] + + expanded_path = os.path.expanduser(security_content_dir_path) + if not os.path.isdir(expanded_path): + error_msg = f"The security content folder path is invalid or does not exist: {expanded_path}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[+][. ERROR]: {error_msg}") + return [] + + search_count = 0 search_found_list = [] - found_flag = False + found_flag = False needed_replay_yaml_field = {} - for roots, dirs, files in os.walk(os.path.expanduser(security_content_dir_path)): + + for roots, dirs, files in os.walk(expanded_path): ### skip deprecated directories if dirs == "deprecated": continue - + if found_flag: break ### enumerate the files in the directory for file in files: - + if file.lower() in [fn.lower() for fn in normalized_args_list]: + logger.info(f"Found matching detection file: {file}") ColorPrint.print_success_fg(f"[+][SUCCESS]: ... SEARCH FOUND -> [ {file} ]") file_path = os.path.join(roots, file) - + yaml_data = self.read_yaml_file(file_path) - ### check if file content is empty or invalid - if yaml_data == None: + ### check if file content is empty or invalid + if yaml_data is None: + logger.warning(f"Skipping empty or invalid YAML file: {file_path}") ColorPrint.print_warning_fg(f"[!][WARNING]: ... Skipping empty or invalid YAML file: {file_path}") continue - needed_replay_yaml_field = self.create_metadata_cache(yaml_data) + needed_replay_yaml_field = self.create_metadata_cache(yaml_data, file_path) search_found_list.append(needed_replay_yaml_field) - - search_count+=1 + + search_count += 1 if search_count == len(normalized_args_list): found_flag = True break - + + logger.info(f"Total filtered detections found: {len(search_found_list)}") ColorPrint.print_info_fg(f"[+][. INFO]: ... Total filtered detections: {len(search_found_list)} ") - ColorPrint.print_info_fg(f"[+][. INFO]: ... ") - ColorPrint.print_info_fg(f"[+][. INFO]: ... ") + + if len(search_found_list) < len(normalized_args_list): + not_found_count = len(normalized_args_list) - len(search_found_list) + logger.warning(f"{not_found_count} detection(s) were not found") return search_found_list @@ -215,21 +272,40 @@ def process_replay_attack_data_by_file_name(self, tag:str, normalized_args_list: escu_detection_guid = needed_replay_yaml_field['id'] ColorPrint.print_info_fg(f"[+][. INFO]: ... Downloading attack data for: {needed_replay_yaml_field['name']} ... item:{ctr+1}") - attack_datasets_full_path, attack_datasets_path = self.download_via_attack_data(attack_data_link, attack_data_timestamp_dir_path, generated_guid) + logger.debug(f"Downloading attack data for: {needed_replay_yaml_field['name']}") + + attack_datasets_full_path, attack_datasets_path = self.download_via_attack_data(attack_data_link, attack_data_timestamp_dir_path, generated_guid) + + # Check if download was successful + if attack_datasets_full_path is None or attack_datasets_path is None: + logger.error(f"Failed to download attack data for: {needed_replay_yaml_field['name']}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to download attack data for: {needed_replay_yaml_field['name']}") + continue ### update the total-replay cache yaml file needed_replay_yaml_field['attack_data_output_file_path'] = attack_datasets_full_path - + needed_replay_yaml_field = self.locate_associated_attack_data_yaml_file(attack_data_link, attack_datasets_path, needed_replay_yaml_field) if not needed_replay_yaml_field: - return - + logger.error("Failed to locate associated YAML file for attack data") + continue + ### dropped the replay yaml cache - replayed_yaml_cache_path = os.path.join(attack_data_timestamp_dir_path, generated_guid, self.read_config_settings('replayed_yaml_cache_dir_name')) + replayed_yaml_cache_dir = self.read_config_settings('replayed_yaml_cache_dir_name') + if not replayed_yaml_cache_dir: + logger.error("Failed to read replayed_yaml_cache_dir_name from config") + continue + + replayed_yaml_cache_path = os.path.join(attack_data_timestamp_dir_path, generated_guid, replayed_yaml_cache_dir) self.generate_output_dir(replayed_yaml_cache_path) - cache_replay_yaml_file_path = os.path.join(replayed_yaml_cache_path, needed_replay_yaml_field['id']+ "_" + self.read_config_settings('cache_replay_yaml_name')) + cache_replay_yaml_name = self.read_config_settings('cache_replay_yaml_name') + if not cache_replay_yaml_name: + logger.error("Failed to read cache_replay_yaml_name from config") + continue + + cache_replay_yaml_file_path = os.path.join(replayed_yaml_cache_path, needed_replay_yaml_field['id'] + "_" + cache_replay_yaml_name) self.dump_yaml_file(cache_replay_yaml_file_path, needed_replay_yaml_field) ### comment me if you dont want to see the replay_cache yml file @@ -239,78 +315,135 @@ def process_replay_attack_data_by_file_name(self, tag:str, normalized_args_list: ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("TOTAL-REPLAY CACHE YAML FILE")) self.processed_attack_data_uuid.append(needed_replay_yaml_field['attack_data_uuid']) - - + + try: - self.attack_data_replay_cmd(needed_replay_yaml_field, index_value) - except: - raise ValueError(f"[+][. ERROR]: ... Attack Data Replay Exception!") - + result = self.attack_data_replay_cmd(needed_replay_yaml_field, index_value) + if not result: + logger.warning(f"Attack data replay returned failure for: {needed_replay_yaml_field['name']}") + except Exception as e: + logger.error(f"Attack Data Replay Exception for {needed_replay_yaml_field['name']}: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[-][. ERROR]: Attack Data Replay Exception: {e}") + - ColorPrint.print_magenta_fg("\n[+]" + "█" * 160 + "\n") - ColorPrint.print_cyan_fg(self.footer_divider("TOTAl-REPLAY-ACTIVATED")) + ColorPrint.print_cyan_fg(self.footer_divider("TOTAl-REPLAY-ACTIVATED")) return - def dump_yaml_file(self, file_path:str, data:str): - - ### generate cache data - with open(file_path, "w") as f: - yaml.dump(data, f, default_flow_style=False) - - return + def dump_yaml_file(self, file_path:str, data:dict)->bool: + """Write data to a YAML file.""" + logger.debug(f"Writing YAML cache file: {file_path}") + try: + with open(file_path, "w") as f: + yaml.dump(data, f, default_flow_style=False) + logger.debug(f"Successfully wrote YAML file: {file_path}") + return True + except IOError as e: + logger.error(f"Failed to write YAML file {file_path}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to write YAML file: {e}") + return False + except yaml.YAMLError as e: + logger.error(f"YAML serialization error for {file_path}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: YAML serialization error: {e}") + return False - def generate_output_dir(self, dir_name:str): + def generate_output_dir(self, dir_name:str)->bool: """generate the base output folder for total-replay cache data""" ### if not exist create output directory if not os.path.isdir(dir_name): - os.makedirs(dir_name, exist_ok=True) - ColorPrint.print_success_fg(f"[+][SUCCESS]: ... {dir_name} folder created!") - return + try: + os.makedirs(dir_name, exist_ok=True) + logger.debug(f"Created output directory: {dir_name}") + ColorPrint.print_success_fg(f"[+][SUCCESS]: ... {dir_name} folder created!") + except OSError as e: + logger.error(f"Failed to create output directory {dir_name}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to create directory: {e}") + return False + return True def download_via_attack_data(self, attack_data_link:str, attack_data_timestamp_dir_path:str, generated_guid:str)->tuple: """download needed raw attack data via attack data feature""" - + logger.debug(f"Downloading attack data from: {attack_data_link}") + ### generate a unique guid folder path guid_dir_path = os.path.join(attack_data_timestamp_dir_path, generated_guid) self.generate_output_dir(guid_dir_path) - ### verify if the string contain url scheme + ### verify if the string contain url scheme p = urlparse(attack_data_link) if not p.scheme or not p.netloc: - raise ValueError(f"[-][. ERROR]: ... Unsupported GitHub URL format: {attack_data_link}") - - m, datasets_path = str(p.path).split("master/") + error_msg = f"Unsupported GitHub URL format: {attack_data_link}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + raise ValueError(f"[-][. ERROR]: ... {error_msg}") + + try: + m, datasets_path = str(p.path).split("master/") + except ValueError: + error_msg = f"URL does not contain expected 'master/' path segment: {attack_data_link}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return (None, None) ### locate the attack_data path in config - if not os.path.isdir(os.path.expanduser(self.read_config_settings('attack_data_dir_path'))): - ColorPrint.print_error_fg("[+][. ERROR]: The attack data folder path in config is invalid or not exist.") - return {} - else: - attack_datasets_full_path = os.path.join(os.path.expanduser(self.read_config_settings('attack_data_dir_path')), datasets_path) - if os.path.isfile(attack_datasets_full_path): - ColorPrint.print_info_fg(f"[+][. INFO]: ... Attack data at: {attack_datasets_full_path} already exists. Download skipped.") - return (attack_datasets_full_path, datasets_path) + attack_data_dir = self.read_config_settings('attack_data_dir_path') + if attack_data_dir is None: + logger.error("Failed to read attack_data_dir_path from configuration") + return (None, None) + + expanded_attack_data_dir = os.path.expanduser(attack_data_dir) + if not os.path.isdir(expanded_attack_data_dir): + error_msg = f"The attack data folder path in config is invalid or does not exist: {expanded_attack_data_dir}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[+][. ERROR]: {error_msg}") + return (None, None) + + attack_datasets_full_path = os.path.join(expanded_attack_data_dir, datasets_path) + if os.path.isfile(attack_datasets_full_path): + logger.info(f"Attack data already exists, skipping download: {attack_datasets_full_path}") + ColorPrint.print_info_fg(f"[+][. INFO]: ... Attack data at: {attack_datasets_full_path} already exists. Download skipped.") + return (attack_datasets_full_path, datasets_path) # Find the Git repository root - repo_root = subprocess.check_output(["git", "rev-parse", "--show-toplevel"],text=True).strip() + try: + repo_root = subprocess.check_output(["git", "rev-parse", "--show-toplevel"], text=True).strip() + except subprocess.CalledProcessError as e: + error_msg = f"Failed to find Git repository root: {e}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return (None, None) + except FileNotFoundError: + error_msg = "Git command not found. Please ensure Git is installed and in PATH." + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return (None, None) git_lfs_cmd = ["git", "lfs", "pull", f"--include={datasets_path}"] - ColorPrint.print_info_fg(f"[+][. INFO]: ... command: {" ".join(git_lfs_cmd)}") + ColorPrint.print_info_fg(f"[+][. INFO]: ... command: {' '.join(git_lfs_cmd)}") + logger.debug(f"Executing Git LFS command: {' '.join(git_lfs_cmd)}") ### execute the git command process try: result = subprocess.run(git_lfs_cmd, check=True, cwd=repo_root, capture_output=True, text=True) - ColorPrint.print_success_fg(f"[+][SUCCESS]: ... Git Command succeeded! attack data: {datasets_path} ==> downloaded succesfully!") + logger.info(f"Successfully downloaded attack data: {datasets_path}") + ColorPrint.print_success_fg(f"[+][SUCCESS]: ... Git Command succeeded! attack data: {datasets_path} ==> downloaded successfully!") except subprocess.CalledProcessError as e: - ColorPrint.print_error_fg("[-][. ERROR]: ... Command failed!") - ColorPrint.print_error_fg("[-][. ERROR]: ... Exit code:", e.returncode) - ColorPrint.print_error_fg("[-][. ERROR]: ... Stdout:", e.stdout) - ColorPrint.print_error_fg("[-][. ERROR]: ... Stderr:", e.stderr) - + logger.error(f"Git LFS pull failed - Exit code: {e.returncode}, Stdout: {e.stdout}, Stderr: {e.stderr}") + ColorPrint.print_error_fg("[-][. ERROR]: ... Git LFS command failed!") + ColorPrint.print_error_fg(f"[-][. ERROR]: ... Exit code: {e.returncode}") + if e.stdout: + ColorPrint.print_error_fg(f"[-][. ERROR]: ... Stdout: {e.stdout}") + if e.stderr: + ColorPrint.print_error_fg(f"[-][. ERROR]: ... Stderr: {e.stderr}") + return (None, None) + except FileNotFoundError: + error_msg = "Git LFS command not found. Please ensure Git LFS is installed." + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return (None, None) return (attack_datasets_full_path, datasets_path) @@ -331,23 +464,55 @@ def read_yaml_file(self, file_path:str)->dict: return None def locate_associated_attack_data_yaml_file(self, attack_data_link:str, attack_datasets_path:str, needed_yaml_field_cache:dict)->dict: + """Locate and parse the YAML file associated with attack data.""" + logger.debug(f"Locating associated YAML file for: {attack_data_link}") ### check and parsed the yml file associated with the attack data - yml_name = os.path.basename(os.path.dirname(unquote(urlparse(attack_data_link).path))) + try: + yml_name = os.path.basename(os.path.dirname(unquote(urlparse(attack_data_link).path))) + except Exception as e: + logger.error(f"Failed to parse attack data link URL: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to parse attack data link: {e}") + return {} ### locate the attack_data path in config - if not os.path.isdir(os.path.expanduser(self.read_config_settings('attack_data_dir_path'))): - ColorPrint.print_error_fg("[+][. ERROR]: The attack data folder path in config is invalid or not exist.") + attack_data_dir = self.read_config_settings('attack_data_dir_path') + if attack_data_dir is None: + logger.error("Failed to read attack_data_dir_path from config") + return {} + + expanded_attack_data_dir = os.path.expanduser(attack_data_dir) + if not os.path.isdir(expanded_attack_data_dir): + error_msg = f"The attack data folder path is invalid or does not exist: {expanded_attack_data_dir}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[+][. ERROR]: {error_msg}") + return {} + + attack_data_full_dir_path = os.path.join(expanded_attack_data_dir, os.path.dirname(attack_datasets_path)) + + if not os.path.isdir(attack_data_full_dir_path): + error_msg = f"Attack data directory not found: {attack_data_full_dir_path}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") return {} - - attack_data_full_dir_path = os.path.join(os.path.expanduser(self.read_config_settings('attack_data_dir_path')), os.path.dirname(attack_datasets_path)) ### enumerate all yaml file inside the attack data folder base on the attack_data_link in escu - for file in os.listdir(attack_data_full_dir_path): + try: + dir_contents = os.listdir(attack_data_full_dir_path) + except OSError as e: + logger.error(f"Failed to list directory {attack_data_full_dir_path}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to list directory: {e}") + return {} + + for file in dir_contents: if file.endswith((".yml", ".yaml")): yml_file_path = os.path.join(attack_data_full_dir_path, file) attack_data_yaml_buff = self.read_yaml_file(yml_file_path) - + + if attack_data_yaml_buff is None: + logger.debug(f"Skipping invalid YAML file: {yml_file_path}") + continue + ### this is to support the old and new attack data yaml format datasets = attack_data_yaml_buff.get("datasets", []) dataset = attack_data_yaml_buff.get("dataset", "") @@ -364,21 +529,24 @@ def locate_associated_attack_data_yaml_file(self, attack_data_link:str, attack_d ) if yml_name in file or has_new_format or has_old_format: - + needed_yaml_field_cache['attack_data_yml_file_path'] = yml_file_path attack_id = attack_data_yaml_buff.get("id") if attack_id: needed_yaml_field_cache['attack_data_uuid'] = attack_data_yaml_buff['id'] + logger.info(f"Found associated YAML file: {file}") ColorPrint.print_success_fg(f"[+][SUCCESS]: ... {file} ==> associated yml file extracted successfully") return needed_yaml_field_cache else: - ColorPrint.print_warning_fg(f"[!][WARNING]: ... attack_data yaml field: [uuid] => not found!!") - else: - # This runs ONLY if the loop never hits 'return' or 'break' - ColorPrint.print_error_fg("[-][. ERROR]: ... No matching YAML file was found during iteration!") - return {} + logger.warning(f"YAML file {file} missing 'id' field") + ColorPrint.print_warning_fg(f"[!][WARNING]: ... attack_data yaml field: [uuid] => not found in {file}!") + + # This runs ONLY if the loop never hits 'return' or 'break' + logger.error(f"No matching YAML file found for attack data: {attack_datasets_path}") + ColorPrint.print_error_fg("[-][. ERROR]: ... No matching YAML file was found during iteration!") + return {} - def create_metadata_cache(self, yaml_data: yaml) -> dict: + def create_metadata_cache(self, yaml_data: yaml, file_path: str = None) -> dict: """Create a metadata cache from the YAML data.""" needed_replay_yaml_field = { @@ -387,7 +555,7 @@ def create_metadata_cache(self, yaml_data: yaml) -> dict: "mitre_attack_id": yaml_data.get("tags", {}).get("mitre_attack_id", "Unknown"), "analytic_story": yaml_data.get("tags", {}).get("analytic_story", "Unknown"), "description": yaml_data.get("description", "No description available"), - #"file_path": yaml_data.get("file_path", "Unknown") + "file_path": file_path if file_path else "Unknown" } # Checking for 'tests' key for handling 'attack_data' yaml field @@ -417,7 +585,16 @@ def create_metadata_cache(self, yaml_data: yaml) -> dict: def send_data_to_splunk(self, file_path, splunk_host, hec_token, event_host_uuid, index="test", source="test", sourcetype="test"): """Send a data file to Splunk HEC.""" + logger.debug(f"Preparing to send data to Splunk - file: {file_path}, host: {splunk_host}, index: {index}") disable_warnings() + + # Validate file exists + if not os.path.isfile(file_path): + error_msg = f"Data file not found: {file_path}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + hec_channel = str(uuid.uuid4()) headers = { "Authorization": f"Splunk {hec_token}", @@ -443,100 +620,306 @@ def send_data_to_splunk(self, file_path, splunk_host, hec_token, event_host_uuid ColorPrint.print_yellow_fg(Style.DIM + f"[+][. INFO]: ... uuid: {event_host_uuid}") ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("ATTACK DATA REPLAY SUMMARY")) - with open(file_path, "rb") as datafile: - try: - res = requests.post( - url, - params=url_params, - data=datafile.read(), - allow_redirects=True, - headers=headers, - verify=False, - ) - res.raise_for_status() - ColorPrint.print_success_fg(f"[+][SUCCESS]: ... :white_check_mark: Sent {file_path} to Splunk HEC") - except Exception as e: - ColorPrint.print_error_fg(f"[+][. ERROR]: ... :x: Error sending {file_path} to Splunk HEC: {e}") - return + max_retries = 3 + retry_delay = 30 # seconds + + try: + with open(file_path, "rb") as datafile: + data = datafile.read() + if not data: + logger.warning(f"Data file is empty: {file_path}") + ColorPrint.print_warning_fg(f"[!][WARNING]: Data file is empty: {file_path}") + + for attempt in range(1, max_retries + 1): + try: + res = requests.post( + url, + params=url_params, + data=data, + allow_redirects=True, + headers=headers, + verify=False, + timeout=60 + ) + res.raise_for_status() + logger.info(f"Successfully sent data to Splunk HEC: {file_path}") + ColorPrint.print_success_fg(f"[+][SUCCESS]: ... Sent {file_path} to Splunk HEC") + return True + except requests.exceptions.ConnectionError as e: + error_msg = f"Failed to connect to Splunk HEC at {splunk_host}:8088 - {e}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + except requests.exceptions.Timeout as e: + if attempt < max_retries: + logger.warning(f"Request to Splunk HEC timed out (attempt {attempt}/{max_retries}). Retrying in {retry_delay} seconds...") + ColorPrint.print_warning_fg(f"[!][WARNING]: Request timed out (attempt {attempt}/{max_retries}). Retrying in {retry_delay} seconds...") + time.sleep(retry_delay) + else: + error_msg = f"Request to Splunk HEC timed out after {max_retries} attempts: {e}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + except requests.exceptions.HTTPError as e: + error_msg = f"HTTP error from Splunk HEC: {e.response.status_code} - {e.response.text}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + except requests.exceptions.RequestException as e: + error_msg = f"Error sending data to Splunk HEC: {e}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + except IOError as e: + error_msg = f"Failed to read data file {file_path}: {e}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False def attack_data_replay_cmd(self, needed_replay_yaml_field:dict, index_value:str)->bool: """main function in replaying attack data in splunk server""" - + logger.debug(f"Starting attack data replay for detection: {needed_replay_yaml_field.get('name', 'Unknown')}") + env_var = self.load_environment_variables() - splunk_host = env_var['host'] - hec_token = env_var['hec_token'] - #error_terms = ["error", "Failed to connect","unreacheable=1", "timed out", "exception","fatal"] - ### setup Command arguments + if not env_var: + logger.error("Cannot replay attack data: environment variables not set") + return False + + try: + splunk_host = env_var['host'] + hec_token = env_var['hec_token'] + except KeyError as e: + logger.error(f"Missing required environment variable key: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Missing required environment variable: {e}") + return False + + # Validate required fields in the yaml cache + required_fields = ['attack_data_output_file_path', 'attack_data_source', 'attack_data_sourcetype', + 'attack_data_uuid', 'attack_data_yml_file_path'] + missing_fields = [f for f in required_fields if f not in needed_replay_yaml_field] + if missing_fields: + logger.error(f"Missing required fields in replay data: {', '.join(missing_fields)}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Missing required fields: {', '.join(missing_fields)}") + return False + attack_data_file_path = needed_replay_yaml_field['attack_data_output_file_path'] attack_data_source = needed_replay_yaml_field['attack_data_source'] attack_data_source_type = needed_replay_yaml_field['attack_data_sourcetype'] attack_data_uuid = needed_replay_yaml_field['attack_data_uuid'] attack_data_yml_file_path = needed_replay_yaml_field['attack_data_yml_file_path'] - if not os.path.isdir(os.path.expanduser(self.read_config_settings('attack_data_dir_path'))): - ColorPrint.print_error_fg("[-][. ERROR]: ... The attack data folder path in config is invalid or not exist.") + # Validate attack data file exists + if not attack_data_file_path or not os.path.isfile(attack_data_file_path): + logger.error(f"Attack data file not found: {attack_data_file_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Attack data file not found: {attack_data_file_path}") + return False + + attack_data_dir = self.read_config_settings('attack_data_dir_path') + if attack_data_dir and not os.path.isdir(os.path.expanduser(attack_data_dir)): + logger.error(f"The attack data folder path in config is invalid or does not exist: {attack_data_dir}") + ColorPrint.print_error_fg("[-][. ERROR]: ... The attack data folder path in config is invalid or does not exist.") return False - + try: - self.send_data_to_splunk(attack_data_file_path, splunk_host, hec_token, attack_data_uuid, index_value, attack_data_source, attack_data_source_type) - return True + result = self.send_data_to_splunk(attack_data_file_path, splunk_host, hec_token, attack_data_uuid, + index_value, attack_data_source, attack_data_source_type) + if result: + logger.info(f"Successfully replayed attack data for: {needed_replay_yaml_field.get('name', 'Unknown')}") + return result except Exception as e: - ColorPrint.print_error_fg(f"[-][. ERROR]: ... running command: {e}") + logger.error(f"Error replaying attack data: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[-][. ERROR]: Error replaying attack data: {e}") return False + def process_replay_all_detections(self, index_value: str, generated_guid: str) -> None: + """Replay attack data for ALL detection YAML files in security content""" + tag = "all_detections" + + ColorPrint.print_cyan_fg(self.header_divider("TOTAl-REPLAY-ACTIVATED", tag)) + + security_content_dir_path = self.read_config_settings("security_content_detection_path") + if security_content_dir_path is None: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to read security_content_detection_path from config") + return + + expanded_path = os.path.expanduser(security_content_dir_path) + if not os.path.isdir(expanded_path): + ColorPrint.print_error_fg(f"[-][. ERROR]: The security content folder path is invalid or does not exist: {expanded_path}") + return + + # Collect all YAML files first + all_yaml_files = [] + for root, dirs, files in os.walk(expanded_path): + if "deprecated" in dirs: + dirs.remove("deprecated") # Skip deprecated folder + for file in files: + if file.endswith((".yaml", ".yml")): + all_yaml_files.append(os.path.join(root, file)) + + total_files = len(all_yaml_files) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Found {total_files} YAML files to process") + + for ctr, file_path in enumerate(all_yaml_files): + ColorPrint.print_info_fg(f"[+][. INFO]: ... Processing {ctr+1}/{total_files}: {file_path}") + + yaml_data = self.read_yaml_file(file_path) + if yaml_data is None: + ColorPrint.print_warning_fg(f"[!][WARNING]: ... Skipping empty or invalid YAML file: {file_path}") + continue + + needed_replay_yaml_field = self.create_metadata_cache(yaml_data, file_path) + + # Check if attack_data_link exists + if "attack_data_link" not in needed_replay_yaml_field or needed_replay_yaml_field["attack_data_link"] == "N/A": + continue + + attack_data_link = needed_replay_yaml_field["attack_data_link"] + + # Generate replay yaml output folder + output_dir_name = self.read_config_settings('output_dir_name') + if not output_dir_name: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to read output_dir_name from config") + continue + + output_base_dir = os.path.join(self.curdir, output_dir_name) + self.generate_output_dir(output_base_dir) + + attack_data_timestamp_dir_path = os.path.join(output_base_dir, datetime.date.today().strftime("%Y-%m-%d")) + + ColorPrint.print_info_fg(f"[+][. INFO]: ... Downloading attack data for: {needed_replay_yaml_field['name']}") + + attack_datasets_full_path, attack_datasets_path = self.download_via_attack_data(attack_data_link, attack_data_timestamp_dir_path, generated_guid) + + # Check if download was successful + if attack_datasets_full_path is None or attack_datasets_path is None: + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to download attack data for: {needed_replay_yaml_field['name']}") + continue + + # Update the total-replay cache yaml file + needed_replay_yaml_field['attack_data_output_file_path'] = attack_datasets_full_path + needed_replay_yaml_field = self.locate_associated_attack_data_yaml_file(attack_data_link, attack_datasets_path, needed_replay_yaml_field) + if not needed_replay_yaml_field: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to locate associated YAML file for attack data") + continue + + # Dropped the replay yaml cache + replayed_yaml_cache_dir = self.read_config_settings('replayed_yaml_cache_dir_name') + if not replayed_yaml_cache_dir: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to read replayed_yaml_cache_dir_name from config") + continue + + replayed_yaml_cache_path = os.path.join(attack_data_timestamp_dir_path, generated_guid, replayed_yaml_cache_dir) + self.generate_output_dir(replayed_yaml_cache_path) + + cache_replay_yaml_name = self.read_config_settings('cache_replay_yaml_name') + if not cache_replay_yaml_name: + ColorPrint.print_error_fg("[-][. ERROR]: Failed to read cache_replay_yaml_name from config") + continue + + cache_replay_yaml_file_path = os.path.join(replayed_yaml_cache_path, needed_replay_yaml_field['id'] + "_" + cache_replay_yaml_name) + self.dump_yaml_file(cache_replay_yaml_file_path, needed_replay_yaml_field) + + if self.read_config_settings('debug_print'): + ColorPrint.print_yellow_fg(Style.DIM + self.header_divider("TOTAL-REPLAY CACHE YAML FILE", tag)) + ColorPrint.print_yellow_fg(Style.DIM + f"[+] ... \n{json.dumps(needed_replay_yaml_field, indent=4)}") + ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("TOTAL-REPLAY CACHE YAML FILE")) + + self.processed_attack_data_uuid.append(needed_replay_yaml_field['attack_data_uuid']) + + try: + result = self.attack_data_replay_cmd(needed_replay_yaml_field, index_value) + if not result: + ColorPrint.print_warning_fg(f"[!][WARNING]: Attack data replay returned failure for: {needed_replay_yaml_field['name']}") + except Exception as e: + ColorPrint.print_error_fg(f"[-][. ERROR]: Attack Data Replay Exception: {e}") + + ColorPrint.print_magenta_fg("\n[+]" + "█" * 160 + "\n") + + ColorPrint.print_cyan_fg(self.footer_divider("TOTAl-REPLAY-ACTIVATED")) + ColorPrint.print_info_fg(f"[+][. INFO]: ... Completed processing all {total_files} detection files") + def process_replay_attack_data(self, tag:str, normalized_args_list:list, index_value:str, generated_guid:str)->None: """main function in replaying attack data using ESCU metadata""" - + logger.info(f"Starting replay for {len(normalized_args_list)} items with tag: {tag}") ColorPrint.print_cyan_fg(self.header_divider("TOTAl-REPLAY-ACTIVATED", tag)) - - search_found_list = [] + + search_found_list = [] for field_name in normalized_args_list: ### skipped if the inputted string has file extension or not a .yml file if field_name.endswith(".yml"): + logger.debug(f"Skipping .yml extension in field name: {field_name}") continue needed_replay_yaml_field = {} search_found_list = self.search_security_content(tag, field_name) if not search_found_list: + logger.warning(f"No matching detections found for: {field_name}") continue - + ColorPrint.print_info_fg(f"[+][. INFO]: ... Total filtered detections: {len(search_found_list)} ") + logger.info(f"Found {len(search_found_list)} detections for: {field_name}") + - for ctr, needed_replay_yaml_field in enumerate(search_found_list): + ColorPrint.print_info_fg(f"[+][. INFO]: ... Processing detection {ctr+1}/{len(search_found_list)}: {needed_replay_yaml_field.get('file_path', 'Unknown')}") ### get the attack data url link if "attack_data_link" in needed_replay_yaml_field: attack_data_link = needed_replay_yaml_field["attack_data_link"] else: + logger.warning(f"No attack_data_link found for detection: {needed_replay_yaml_field.get('name', 'Unknown')}") continue ### generate replay yaml output folder - output_base_dir = os.path.join(self.curdir, self.read_config_settings('output_dir_name')) + output_dir_name = self.read_config_settings('output_dir_name') + if not output_dir_name: + logger.error("Failed to read output_dir_name from config") + continue + + output_base_dir = os.path.join(self.curdir, output_dir_name) self.generate_output_dir(output_base_dir) - + attack_data_timestamp_dir_path = os.path.join(output_base_dir, datetime.date.today().strftime("%Y-%m-%d")) escu_detection_guid = needed_replay_yaml_field['id'] ColorPrint.print_info_fg(f"[+][. INFO]: ... Downloading attack data for: {needed_replay_yaml_field['name']} ... item:{ctr+1}") + logger.debug(f"Downloading attack data for: {needed_replay_yaml_field['name']}") + attack_datasets_full_path, attack_datasets_path = self.download_via_attack_data(attack_data_link, attack_data_timestamp_dir_path, generated_guid) + # Check if download was successful + if attack_datasets_full_path is None or attack_datasets_path is None: + logger.error(f"Failed to download attack data for: {needed_replay_yaml_field['name']}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to download attack data for: {needed_replay_yaml_field['name']}") + continue + ### update the total-replay cache yaml file needed_replay_yaml_field['attack_data_output_file_path'] = attack_datasets_full_path needed_replay_yaml_field = self.locate_associated_attack_data_yaml_file(attack_data_link, attack_datasets_path, needed_replay_yaml_field) if not needed_replay_yaml_field: - return + logger.error("Failed to locate associated YAML file for attack data") + continue ### dropped the replay yaml cache - replayed_yaml_cache_path = os.path.join(attack_data_timestamp_dir_path, generated_guid, self.read_config_settings('replayed_yaml_cache_dir_name')) + replayed_yaml_cache_dir = self.read_config_settings('replayed_yaml_cache_dir_name') + if not replayed_yaml_cache_dir: + logger.error("Failed to read replayed_yaml_cache_dir_name from config") + continue + + replayed_yaml_cache_path = os.path.join(attack_data_timestamp_dir_path, generated_guid, replayed_yaml_cache_dir) self.generate_output_dir(replayed_yaml_cache_path) - cache_replay_yaml_file_path = os.path.join(replayed_yaml_cache_path, needed_replay_yaml_field['id']+ "_" + self.read_config_settings('cache_replay_yaml_name')) + cache_replay_yaml_name = self.read_config_settings('cache_replay_yaml_name') + if not cache_replay_yaml_name: + logger.error("Failed to read cache_replay_yaml_name from config") + continue + + cache_replay_yaml_file_path = os.path.join(replayed_yaml_cache_path, needed_replay_yaml_field['id'] + "_" + cache_replay_yaml_name) self.dump_yaml_file(cache_replay_yaml_file_path, needed_replay_yaml_field) ### comment me if you dont want to see the replay_cache yml file @@ -544,24 +927,28 @@ def process_replay_attack_data(self, tag:str, normalized_args_list:list, index_v ColorPrint.print_yellow_fg(Style.DIM + self.header_divider("TOTAL-REPLAY CACHE YAML FILE", tag)) ColorPrint.print_yellow_fg(Style.DIM + f"[+] ... \n{json.dumps(needed_replay_yaml_field, indent=4)}") ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("TOTAL-REPLAY CACHE YAML FILE")) - + self.processed_attack_data_uuid.append(needed_replay_yaml_field['attack_data_uuid']) try: - self.attack_data_replay_cmd(needed_replay_yaml_field, index_value) - except: - raise ValueError(f"[+][. ERROR]: ... Attack Data Replay Exception!") + result = self.attack_data_replay_cmd(needed_replay_yaml_field, index_value) + if not result: + logger.warning(f"Attack data replay returned failure for: {needed_replay_yaml_field['name']}") + except Exception as e: + logger.error(f"Attack Data Replay Exception for {needed_replay_yaml_field['name']}: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[-][. ERROR]: Attack Data Replay Exception: {e}") ColorPrint.print_magenta_fg("\n[+]" + "█" * 160 + "\n") - ColorPrint.print_cyan_fg(self.footer_divider("TOTAl-REPLAY-ACTIVATED")) + ColorPrint.print_cyan_fg(self.footer_divider("TOTAl-REPLAY-ACTIVATED")) return def search_security_content(self, key_name: str, field_name:str)->list: """Function in parsing Splunk Security Content Repo""" + logger.debug(f"Searching security content for key={key_name}, field={field_name}") ColorPrint.print_info_fg(f'[+][. INFO]: ... processing => [ {field_name} ]') @@ -572,18 +959,25 @@ def search_security_content(self, key_name: str, field_name:str)->list: needed_replay_yaml_field = {} security_content_dir_path = self.read_config_settings("security_content_detection_path") - if not os.path.isdir(os.path.expanduser(security_content_dir_path)): - ColorPrint.print_error_fg("[+][. ERROR]: The security Content folder path in config is invalid or not exist.") + if security_content_dir_path is None: + logger.error("Failed to read security_content_detection_path from config") + return [] + + expanded_path = os.path.expanduser(security_content_dir_path) + if not os.path.isdir(expanded_path): + error_msg = f"The security content folder path is invalid or does not exist: {expanded_path}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[+][. ERROR]: {error_msg}") return [] - - for root, dirs, files in os.walk(os.path.expanduser(security_content_dir_path)): + + for root, dirs, files in os.walk(expanded_path): ## skip deprecated folder if dirs == "deprecated": continue ## break the loop once we found the needed field value if found_flag: break - + for file in files: if file.endswith((".yaml",".yml")): @@ -591,18 +985,20 @@ def search_security_content(self, key_name: str, field_name:str)->list: yaml_data = self.read_yaml_file(file_path) - ### check if file content is empty or invalid + ### check if file content is empty or invalid if yaml_data is None: - ColorPrint.print_error_fg(f"[!] [STATUS]: [. ERROR] ... skipping empty or invalid YAML file: {file_path}") + logger.debug(f"Skipping empty or invalid YAML file: {file_path}") continue - + if self.check_needed_yaml_field(key_name, field_name, yaml_data): if key_name != "mitre_attack_id" and key_name != "analytic_story": found_flag = True - - needed_replay_yaml_field = self.create_metadata_cache(yaml_data) + + needed_replay_yaml_field = self.create_metadata_cache(yaml_data, file_path) search_found_list.append(needed_replay_yaml_field) + logger.debug(f"Found matching detection: {yaml_data.get('name', 'Unknown')}") + logger.debug(f"Search complete. Found {len(search_found_list)} matches for {field_name}") return search_found_list def check_needed_yaml_field(self, yaml_key_name:str, field_name:str, yaml_data:yaml)->bool: @@ -631,89 +1027,153 @@ def check_needed_yaml_field(self, yaml_key_name:str, field_name:str, yaml_data:y return False - def normalized_file_args(self, file_path:str)->list: + def normalized_file_args(self, file_path:str)->dict: """segregate string by possible Splunk Security content yaml field via regex""" ColorPrint.print_info_fg("[+][. INFO]: ... segregating the file data ...") + logger.debug(f"Processing file for categorization: {file_path}") + + # Validate file exists + if not os.path.isfile(file_path): + logger.error(f"Input file not found: {file_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Input file not found: {file_path}") + return {} + + try: + with open(file_path, "r") as f: + lines = f.readlines() + except IOError as e: + logger.error(f"Failed to read file {file_path}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Failed to read file: {e}") + return {} + except UnicodeDecodeError as e: + logger.error(f"File encoding error for {file_path}: {e}") + ColorPrint.print_error_fg(f"[-][. ERROR]: File encoding error: {e}") + return {} - with open(file_path, "r") as f: - lines = f.readlines() + # Filter out empty lines and comments + filter_line = [l.strip() for l in lines if l.strip() and not l.strip().startswith('#')] + + if not filter_line: + logger.warning(f"No valid entries found in file: {file_path}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No valid entries found in file: {file_path}") + return {} + + logger.debug(f"Found {len(filter_line)} non-empty lines to categorize") - filter_line = [l.strip() for l in lines] - segregate = defaultdict(list) - regex_patterns = { + regex_patterns = { "detection_filename": r"^[a-z0-9_]+(?:\.yml)?$", "guid": r"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", "mitre_attack_tid": r"^T\d{4}(?:\.\d{3})?$", "detection_and_analytic_story_name": r"^[A-Za-z0-9\s\-]+$" } - - + + unmatched_count = 0 for item in filter_line: found_category = False for category, pattern in regex_patterns.items(): if re.fullmatch(pattern, item): # fullmatch ensures the entire string matches the pattern segregate[category].append(item) - found_category = True - + if not found_category: - + unmatched_count += 1 + logger.warning(f"No category matched for item: {item}") ColorPrint.print_warning_fg(f"[!][WARNING]: ... {item} - No category matched.") - + + if unmatched_count > 0: + logger.warning(f"Total unmatched items: {unmatched_count}") ### remove guid and technique id catched by generic regex detection__and_analytic_story_name if 'detection_and_analytic_story_name' in segregate and ("guid" in segregate or "mitre_attack_tid" in segregate): removed_list = [] for v in segregate['detection_and_analytic_story_name']: - if v in segregate['guid']: + if 'guid' in segregate and v in segregate['guid']: removed_list.append(v) - if v in segregate['mitre_attack_tid']: + if 'mitre_attack_tid' in segregate and v in segregate['mitre_attack_tid']: removed_list.append(v) for r in removed_list: segregate['detection_and_analytic_story_name'].remove(r) + regular_dict = dict(segregate) beautified_json_string = json.dumps(regular_dict, indent=4) + # Log categorization summary + for category, items in regular_dict.items(): + logger.debug(f"Category '{category}': {len(items)} items") + ### comment me if you dont want to see the replay_cache yml file if self.read_config_settings('debug_print'): ColorPrint.print_yellow_fg(Style.DIM + self.header_divider("STRING CATEGORIZATION")) ColorPrint.print_yellow_fg(Style.DIM + f"[+] ... \n{beautified_json_string}") - ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("STRING CATEGORIZATION")) + ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("STRING CATEGORIZATION")) + return segregate - def process_local_yaml_cache(self, local_replayed_yaml_dir_path:str,index_value:str)->None: - """Process local YAML cache files for replaying attack data.""" + def process_local_yaml_cache(self, local_replayed_yaml_dir_path:str, index_value:str)->bool: + """Process local YAML cache files for replaying attack data.""" + logger.info(f"Processing local YAML cache from: {local_replayed_yaml_dir_path}") + if not os.path.isdir(local_replayed_yaml_dir_path): - ColorPrint.print_error_fg(f"[-][. ERROR]: ... Inputted {local_replayed_yaml_dir_path} is invalid!") - return - else: - for root, dirs, files in os.walk(local_replayed_yaml_dir_path): - for ctr, file in enumerate(files): - ColorPrint.print_info_fg(f'[+][. INFO]: ... Processing {ctr+1} => [ {file} ]') - file_path = os.path.join(root, file) + error_msg = f"Local cache directory not found or is not a directory: {local_replayed_yaml_dir_path}" + logger.error(error_msg) + ColorPrint.print_error_fg(f"[-][. ERROR]: {error_msg}") + return False + + yaml_files_found = 0 + yaml_files_processed = 0 + yaml_files_failed = 0 + + for root, dirs, files in os.walk(local_replayed_yaml_dir_path): + for ctr, file in enumerate(files): + if not file.endswith((".yaml", ".yml")): + continue + + yaml_files_found += 1 + ColorPrint.print_info_fg(f'[+][. INFO]: ... Processing {ctr+1} => [ {file} ]') + file_path = os.path.join(root, file) + logger.debug(f"Processing YAML cache file: {file_path}") + + yaml_data = self.read_yaml_file(file_path) + + if yaml_data is None: + logger.error(f"Skipping empty or invalid YAML file: {file_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: ... Skipping empty or invalid YAML file: {file_path}") + yaml_files_failed += 1 + continue + + # Validate required fields + if 'attack_data_uuid' not in yaml_data: + logger.error(f"Missing 'attack_data_uuid' in YAML file: {file_path}") + ColorPrint.print_error_fg(f"[-][. ERROR]: Missing 'attack_data_uuid' in: {file_path}") + yaml_files_failed += 1 + continue + + ### comment me if you dont want to see the replay_cache yml file + if self.read_config_settings('debug_print'): + ColorPrint.print_yellow_fg(Style.DIM + self.header_divider("TOTAL-REPLAY CACHE YAML FILE", "local cache")) + ColorPrint.print_yellow_fg(Style.DIM + f"[+] ... \n{json.dumps(yaml_data, indent=4)}") + ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("TOTAL-REPLAY CACHE YAML FILE")) + + self.processed_attack_data_uuid.append(yaml_data['attack_data_uuid']) + + try: + result = self.attack_data_replay_cmd(yaml_data, index_value) + if result: + yaml_files_processed += 1 + else: + yaml_files_failed += 1 + except Exception as e: + logger.error(f"Exception during attack data replay for {file_path}: {e}", exc_info=True) + ColorPrint.print_error_fg(f"[-][. ERROR]: Attack Data Replay Exception for {file}: {e}") + yaml_files_failed += 1 + + ColorPrint.print_magenta_fg("\n[+]" + "█" * 160 + "\n") + + # Log summary + logger.info(f"Local cache processing complete - Found: {yaml_files_found}, Processed: {yaml_files_processed}, Failed: {yaml_files_failed}") + if yaml_files_found == 0: + logger.warning(f"No YAML files found in: {local_replayed_yaml_dir_path}") + ColorPrint.print_warning_fg(f"[!][WARNING]: No YAML files found in: {local_replayed_yaml_dir_path}") - if file.endswith((".yaml",".yml")): - yaml_data = self.read_yaml_file(file_path) - - if yaml_data is None: - ColorPrint.print_error_fg(f"[-][. ERROR]: ... Skipping empty or invalid YAML file: {file_path}") - continue - - ### comment me if you dont want to see the replay_cache yml file - if self.read_config_settings('debug_print'): - ColorPrint.print_yellow_fg(Style.DIM + self.header_divider("TOTAL-REPLAY CACHE YAML FILE", "local cache")) - ColorPrint.print_yellow_fg(Style.DIM + f"[+] ... \n{json.dumps(yaml_data, indent=4)}") - ColorPrint.print_yellow_fg(Style.DIM + self.footer_divider("TOTAL-REPLAY CACHE YAML FILE")) - - self.processed_attack_data_uuid.append(yaml_data['attack_data_uuid']) - - try: - self.attack_data_replay_cmd(yaml_data, index_value) - except: - raise ValueError(f"[+][. ERROR]: ... Attack Data Replay Exception!") - - ColorPrint.print_magenta_fg("\n[+]" + "█" * 160 + "\n") - - - return True \ No newline at end of file + return yaml_files_failed == 0 \ No newline at end of file diff --git a/total_replay/uv.lock b/total_replay/uv.lock new file mode 100644 index 00000000..cd9652ef --- /dev/null +++ b/total_replay/uv.lock @@ -0,0 +1,441 @@ +version = 1 +revision = 3 +requires-python = ">=3.13" + +[[package]] +name = "ansible-runner" +version = "2.4.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "packaging" }, + { name = "pexpect" }, + { name = "python-daemon" }, + { name = "pyyaml" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/aa/db/65b9e058807d313c495a6f4365cc11234d0391c5843659ddc27cc4bf1677/ansible_runner-2.4.2.tar.gz", hash = "sha256:331d4da8d784e5a76aa9356981c0255f4bb1ba640736efe84b0bd7c73a4ca420", size = 152047, upload-time = "2025-10-14T19:10:50.159Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/a9/da/19512e72e9cf2b8e7e6345264baa6c7ac1bb0ab128eb19c73a58407c4566/ansible_runner-2.4.2-py3-none-any.whl", hash = "sha256:0bde6cb39224770ff49ccdc6027288f6a98f4ed2ea0c64688b31217033221893", size = 79758, upload-time = "2025-10-14T19:10:48.994Z" }, +] + +[[package]] +name = "certifi" +version = "2026.1.4" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e0/2d/a891ca51311197f6ad14a7ef42e2399f36cf2f9bd44752b3dc4eab60fdc5/certifi-2026.1.4.tar.gz", hash = "sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120", size = 154268, upload-time = "2026-01-04T02:42:41.825Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/e6/ad/3cc14f097111b4de0040c83a525973216457bbeeb63739ef1ed275c1c021/certifi-2026.1.4-py3-none-any.whl", hash = "sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c", size = 152900, upload-time = "2026-01-04T02:42:40.15Z" }, +] + +[[package]] +name = "charset-normalizer" +version = "3.4.4" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/13/69/33ddede1939fdd074bce5434295f38fae7136463422fe4fd3e0e89b98062/charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a", size = 129418, upload-time = "2025-10-14T04:42:32.879Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/97/45/4b3a1239bbacd321068ea6e7ac28875b03ab8bc0aa0966452db17cd36714/charset_normalizer-3.4.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e1f185f86a6f3403aa2420e815904c67b2f9ebc443f045edd0de921108345794", size = 208091, upload-time = "2025-10-14T04:41:13.346Z" }, + { url = "https://files.pythonhosted.org/packages/7d/62/73a6d7450829655a35bb88a88fca7d736f9882a27eacdca2c6d505b57e2e/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b39f987ae8ccdf0d2642338faf2abb1862340facc796048b604ef14919e55ed", size = 147936, upload-time = "2025-10-14T04:41:14.461Z" }, + { url = "https://files.pythonhosted.org/packages/89/c5/adb8c8b3d6625bef6d88b251bbb0d95f8205831b987631ab0c8bb5d937c2/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3162d5d8ce1bb98dd51af660f2121c55d0fa541b46dff7bb9b9f86ea1d87de72", size = 144180, upload-time = "2025-10-14T04:41:15.588Z" }, + { url = "https://files.pythonhosted.org/packages/91/ed/9706e4070682d1cc219050b6048bfd293ccf67b3d4f5a4f39207453d4b99/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:81d5eb2a312700f4ecaa977a8235b634ce853200e828fbadf3a9c50bab278328", size = 161346, upload-time = "2025-10-14T04:41:16.738Z" }, + { url = "https://files.pythonhosted.org/packages/d5/0d/031f0d95e4972901a2f6f09ef055751805ff541511dc1252ba3ca1f80cf5/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5bd2293095d766545ec1a8f612559f6b40abc0eb18bb2f5d1171872d34036ede", size = 158874, upload-time = "2025-10-14T04:41:17.923Z" }, + { url = "https://files.pythonhosted.org/packages/f5/83/6ab5883f57c9c801ce5e5677242328aa45592be8a00644310a008d04f922/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a8a8b89589086a25749f471e6a900d3f662d1d3b6e2e59dcecf787b1cc3a1894", size = 153076, upload-time = "2025-10-14T04:41:19.106Z" }, + { url = "https://files.pythonhosted.org/packages/75/1e/5ff781ddf5260e387d6419959ee89ef13878229732732ee73cdae01800f2/charset_normalizer-3.4.4-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:bc7637e2f80d8530ee4a78e878bce464f70087ce73cf7c1caf142416923b98f1", size = 150601, upload-time = "2025-10-14T04:41:20.245Z" }, + { url = "https://files.pythonhosted.org/packages/d7/57/71be810965493d3510a6ca79b90c19e48696fb1ff964da319334b12677f0/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f8bf04158c6b607d747e93949aa60618b61312fe647a6369f88ce2ff16043490", size = 150376, upload-time = "2025-10-14T04:41:21.398Z" }, + { url = "https://files.pythonhosted.org/packages/e5/d5/c3d057a78c181d007014feb7e9f2e65905a6c4ef182c0ddf0de2924edd65/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:554af85e960429cf30784dd47447d5125aaa3b99a6f0683589dbd27e2f45da44", size = 144825, upload-time = "2025-10-14T04:41:22.583Z" }, + { url = "https://files.pythonhosted.org/packages/e6/8c/d0406294828d4976f275ffbe66f00266c4b3136b7506941d87c00cab5272/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:74018750915ee7ad843a774364e13a3db91682f26142baddf775342c3f5b1133", size = 162583, upload-time = "2025-10-14T04:41:23.754Z" }, + { url = "https://files.pythonhosted.org/packages/d7/24/e2aa1f18c8f15c4c0e932d9287b8609dd30ad56dbe41d926bd846e22fb8d/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:c0463276121fdee9c49b98908b3a89c39be45d86d1dbaa22957e38f6321d4ce3", size = 150366, upload-time = "2025-10-14T04:41:25.27Z" }, + { url = "https://files.pythonhosted.org/packages/e4/5b/1e6160c7739aad1e2df054300cc618b06bf784a7a164b0f238360721ab86/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:362d61fd13843997c1c446760ef36f240cf81d3ebf74ac62652aebaf7838561e", size = 160300, upload-time = "2025-10-14T04:41:26.725Z" }, + { url = "https://files.pythonhosted.org/packages/7a/10/f882167cd207fbdd743e55534d5d9620e095089d176d55cb22d5322f2afd/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9a26f18905b8dd5d685d6d07b0cdf98a79f3c7a918906af7cc143ea2e164c8bc", size = 154465, upload-time = "2025-10-14T04:41:28.322Z" }, + { url = "https://files.pythonhosted.org/packages/89/66/c7a9e1b7429be72123441bfdbaf2bc13faab3f90b933f664db506dea5915/charset_normalizer-3.4.4-cp313-cp313-win32.whl", hash = "sha256:9b35f4c90079ff2e2edc5b26c0c77925e5d2d255c42c74fdb70fb49b172726ac", size = 99404, upload-time = "2025-10-14T04:41:29.95Z" }, + { url = "https://files.pythonhosted.org/packages/c4/26/b9924fa27db384bdcd97ab83b4f0a8058d96ad9626ead570674d5e737d90/charset_normalizer-3.4.4-cp313-cp313-win_amd64.whl", hash = "sha256:b435cba5f4f750aa6c0a0d92c541fb79f69a387c91e61f1795227e4ed9cece14", size = 107092, upload-time = "2025-10-14T04:41:31.188Z" }, + { url = "https://files.pythonhosted.org/packages/af/8f/3ed4bfa0c0c72a7ca17f0380cd9e4dd842b09f664e780c13cff1dcf2ef1b/charset_normalizer-3.4.4-cp313-cp313-win_arm64.whl", hash = "sha256:542d2cee80be6f80247095cc36c418f7bddd14f4a6de45af91dfad36d817bba2", size = 100408, upload-time = "2025-10-14T04:41:32.624Z" }, + { url = "https://files.pythonhosted.org/packages/2a/35/7051599bd493e62411d6ede36fd5af83a38f37c4767b92884df7301db25d/charset_normalizer-3.4.4-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:da3326d9e65ef63a817ecbcc0df6e94463713b754fe293eaa03da99befb9a5bd", size = 207746, upload-time = "2025-10-14T04:41:33.773Z" }, + { url = "https://files.pythonhosted.org/packages/10/9a/97c8d48ef10d6cd4fcead2415523221624bf58bcf68a802721a6bc807c8f/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8af65f14dc14a79b924524b1e7fffe304517b2bff5a58bf64f30b98bbc5079eb", size = 147889, upload-time = "2025-10-14T04:41:34.897Z" }, + { url = "https://files.pythonhosted.org/packages/10/bf/979224a919a1b606c82bd2c5fa49b5c6d5727aa47b4312bb27b1734f53cd/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74664978bb272435107de04e36db5a9735e78232b85b77d45cfb38f758efd33e", size = 143641, upload-time = "2025-10-14T04:41:36.116Z" }, + { url = "https://files.pythonhosted.org/packages/ba/33/0ad65587441fc730dc7bd90e9716b30b4702dc7b617e6ba4997dc8651495/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:752944c7ffbfdd10c074dc58ec2d5a8a4cd9493b314d367c14d24c17684ddd14", size = 160779, upload-time = "2025-10-14T04:41:37.229Z" }, + { url = "https://files.pythonhosted.org/packages/67/ed/331d6b249259ee71ddea93f6f2f0a56cfebd46938bde6fcc6f7b9a3d0e09/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d1f13550535ad8cff21b8d757a3257963e951d96e20ec82ab44bc64aeb62a191", size = 159035, upload-time = "2025-10-14T04:41:38.368Z" }, + { url = "https://files.pythonhosted.org/packages/67/ff/f6b948ca32e4f2a4576aa129d8bed61f2e0543bf9f5f2b7fc3758ed005c9/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ecaae4149d99b1c9e7b88bb03e3221956f68fd6d50be2ef061b2381b61d20838", size = 152542, upload-time = "2025-10-14T04:41:39.862Z" }, + { url = "https://files.pythonhosted.org/packages/16/85/276033dcbcc369eb176594de22728541a925b2632f9716428c851b149e83/charset_normalizer-3.4.4-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:cb6254dc36b47a990e59e1068afacdcd02958bdcce30bb50cc1700a8b9d624a6", size = 149524, upload-time = "2025-10-14T04:41:41.319Z" }, + { url = "https://files.pythonhosted.org/packages/9e/f2/6a2a1f722b6aba37050e626530a46a68f74e63683947a8acff92569f979a/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:c8ae8a0f02f57a6e61203a31428fa1d677cbe50c93622b4149d5c0f319c1d19e", size = 150395, upload-time = "2025-10-14T04:41:42.539Z" }, + { url = "https://files.pythonhosted.org/packages/60/bb/2186cb2f2bbaea6338cad15ce23a67f9b0672929744381e28b0592676824/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:47cc91b2f4dd2833fddaedd2893006b0106129d4b94fdb6af1f4ce5a9965577c", size = 143680, upload-time = "2025-10-14T04:41:43.661Z" }, + { url = "https://files.pythonhosted.org/packages/7d/a5/bf6f13b772fbb2a90360eb620d52ed8f796f3c5caee8398c3b2eb7b1c60d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:82004af6c302b5d3ab2cfc4cc5f29db16123b1a8417f2e25f9066f91d4411090", size = 162045, upload-time = "2025-10-14T04:41:44.821Z" }, + { url = "https://files.pythonhosted.org/packages/df/c5/d1be898bf0dc3ef9030c3825e5d3b83f2c528d207d246cbabe245966808d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:2b7d8f6c26245217bd2ad053761201e9f9680f8ce52f0fcd8d0755aeae5b2152", size = 149687, upload-time = "2025-10-14T04:41:46.442Z" }, + { url = "https://files.pythonhosted.org/packages/a5/42/90c1f7b9341eef50c8a1cb3f098ac43b0508413f33affd762855f67a410e/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:799a7a5e4fb2d5898c60b640fd4981d6a25f1c11790935a44ce38c54e985f828", size = 160014, upload-time = "2025-10-14T04:41:47.631Z" }, + { url = "https://files.pythonhosted.org/packages/76/be/4d3ee471e8145d12795ab655ece37baed0929462a86e72372fd25859047c/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:99ae2cffebb06e6c22bdc25801d7b30f503cc87dbd283479e7b606f70aff57ec", size = 154044, upload-time = "2025-10-14T04:41:48.81Z" }, + { url = "https://files.pythonhosted.org/packages/b0/6f/8f7af07237c34a1defe7defc565a9bc1807762f672c0fde711a4b22bf9c0/charset_normalizer-3.4.4-cp314-cp314-win32.whl", hash = "sha256:f9d332f8c2a2fcbffe1378594431458ddbef721c1769d78e2cbc06280d8155f9", size = 99940, upload-time = "2025-10-14T04:41:49.946Z" }, + { url = "https://files.pythonhosted.org/packages/4b/51/8ade005e5ca5b0d80fb4aff72a3775b325bdc3d27408c8113811a7cbe640/charset_normalizer-3.4.4-cp314-cp314-win_amd64.whl", hash = "sha256:8a6562c3700cce886c5be75ade4a5db4214fda19fede41d9792d100288d8f94c", size = 107104, upload-time = "2025-10-14T04:41:51.051Z" }, + { url = "https://files.pythonhosted.org/packages/da/5f/6b8f83a55bb8278772c5ae54a577f3099025f9ade59d0136ac24a0df4bde/charset_normalizer-3.4.4-cp314-cp314-win_arm64.whl", hash = "sha256:de00632ca48df9daf77a2c65a484531649261ec9f25489917f09e455cb09ddb2", size = 100743, upload-time = "2025-10-14T04:41:52.122Z" }, + { url = "https://files.pythonhosted.org/packages/0a/4c/925909008ed5a988ccbb72dcc897407e5d6d3bd72410d69e051fc0c14647/charset_normalizer-3.4.4-py3-none-any.whl", hash = "sha256:7a32c560861a02ff789ad905a2fe94e3f840803362c84fecf1851cb4cf3dc37f", size = 53402, upload-time = "2025-10-14T04:42:31.76Z" }, +] + +[[package]] +name = "click" +version = "8.3.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "colorama", marker = "sys_platform == 'win32'" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/3d/fa/656b739db8587d7b5dfa22e22ed02566950fbfbcdc20311993483657a5c0/click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a", size = 295065, upload-time = "2025-11-15T20:45:42.706Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" }, +] + +[[package]] +name = "colorama" +version = "0.4.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, +] + +[[package]] +name = "idna" +version = "3.11" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/6f/6d/0703ccc57f3a7233505399edb88de3cbd678da106337b9fcde432b65ed60/idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902", size = 194582, upload-time = "2025-10-12T14:55:20.501Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea", size = 71008, upload-time = "2025-10-12T14:55:18.883Z" }, +] + +[[package]] +name = "lockfile" +version = "0.12.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/17/47/72cb04a58a35ec495f96984dddb48232b551aafb95bde614605b754fe6f7/lockfile-0.12.2.tar.gz", hash = "sha256:6aed02de03cba24efabcd600b30540140634fc06cfa603822d508d5361e9f799", size = 20874, upload-time = "2015-11-25T18:29:58.279Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c8/22/9460e311f340cb62d26a38c419b1381b8593b0bb6b5d1f056938b086d362/lockfile-0.12.2-py2.py3-none-any.whl", hash = "sha256:6c3cb24f344923d30b2785d5ad75182c8ea7ac1b6171b08657258ec7429d50fa", size = 13564, upload-time = "2015-11-25T18:29:51.462Z" }, +] + +[[package]] +name = "markdown-it-py" +version = "4.0.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "mdurl" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/5b/f5/4ec618ed16cc4f8fb3b701563655a69816155e79e24a17b651541804721d/markdown_it_py-4.0.0.tar.gz", hash = "sha256:cb0a2b4aa34f932c007117b194e945bd74e0ec24133ceb5bac59009cda1cb9f3", size = 73070, upload-time = "2025-08-11T12:57:52.854Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/94/54/e7d793b573f298e1c9013b8c4dade17d481164aa517d1d7148619c2cedbf/markdown_it_py-4.0.0-py3-none-any.whl", hash = "sha256:87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147", size = 87321, upload-time = "2025-08-11T12:57:51.923Z" }, +] + +[[package]] +name = "mdurl" +version = "0.1.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba", size = 8729, upload-time = "2022-08-14T12:40:10.846Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8", size = 9979, upload-time = "2022-08-14T12:40:09.779Z" }, +] + +[[package]] +name = "numpy" +version = "2.4.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/24/62/ae72ff66c0f1fd959925b4c11f8c2dea61f47f6acaea75a08512cdfe3fed/numpy-2.4.1.tar.gz", hash = "sha256:a1ceafc5042451a858231588a104093474c6a5c57dcc724841f5c888d237d690", size = 20721320, upload-time = "2026-01-10T06:44:59.619Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/04/68/732d4b7811c00775f3bd522a21e8dd5a23f77eb11acdeb663e4a4ebf0ef4/numpy-2.4.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:d797454e37570cfd61143b73b8debd623c3c0952959adb817dd310a483d58a1b", size = 16652495, upload-time = "2026-01-10T06:43:06.283Z" }, + { url = "https://files.pythonhosted.org/packages/20/ca/857722353421a27f1465652b2c66813eeeccea9d76d5f7b74b99f298e60e/numpy-2.4.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:82c55962006156aeef1629b953fd359064aa47e4d82cfc8e67f0918f7da3344f", size = 12368657, upload-time = "2026-01-10T06:43:09.094Z" }, + { url = "https://files.pythonhosted.org/packages/81/0d/2377c917513449cc6240031a79d30eb9a163d32a91e79e0da47c43f2c0c8/numpy-2.4.1-cp313-cp313-macosx_14_0_arm64.whl", hash = "sha256:71abbea030f2cfc3092a0ff9f8c8fdefdc5e0bf7d9d9c99663538bb0ecdac0b9", size = 5197256, upload-time = "2026-01-10T06:43:13.634Z" }, + { url = "https://files.pythonhosted.org/packages/17/39/569452228de3f5de9064ac75137082c6214be1f5c532016549a7923ab4b5/numpy-2.4.1-cp313-cp313-macosx_14_0_x86_64.whl", hash = "sha256:5b55aa56165b17aaf15520beb9cbd33c9039810e0d9643dd4379e44294c7303e", size = 6545212, upload-time = "2026-01-10T06:43:15.661Z" }, + { url = "https://files.pythonhosted.org/packages/8c/a4/77333f4d1e4dac4395385482557aeecf4826e6ff517e32ca48e1dafbe42a/numpy-2.4.1-cp313-cp313-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c0faba4a331195bfa96f93dd9dfaa10b2c7aa8cda3a02b7fd635e588fe821bf5", size = 14402871, upload-time = "2026-01-10T06:43:17.324Z" }, + { url = "https://files.pythonhosted.org/packages/ba/87/d341e519956273b39d8d47969dd1eaa1af740615394fe67d06f1efa68773/numpy-2.4.1-cp313-cp313-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d3e3087f53e2b4428766b54932644d148613c5a595150533ae7f00dab2f319a8", size = 16359305, upload-time = "2026-01-10T06:43:19.376Z" }, + { url = "https://files.pythonhosted.org/packages/32/91/789132c6666288eaa20ae8066bb99eba1939362e8f1a534949a215246e97/numpy-2.4.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:49e792ec351315e16da54b543db06ca8a86985ab682602d90c60ef4ff4db2a9c", size = 16181909, upload-time = "2026-01-10T06:43:21.808Z" }, + { url = "https://files.pythonhosted.org/packages/cf/b8/090b8bd27b82a844bb22ff8fdf7935cb1980b48d6e439ae116f53cdc2143/numpy-2.4.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:79e9e06c4c2379db47f3f6fc7a8652e7498251789bf8ff5bd43bf478ef314ca2", size = 18284380, upload-time = "2026-01-10T06:43:23.957Z" }, + { url = "https://files.pythonhosted.org/packages/67/78/722b62bd31842ff029412271556a1a27a98f45359dea78b1548a3a9996aa/numpy-2.4.1-cp313-cp313-win32.whl", hash = "sha256:3d1a100e48cb266090a031397863ff8a30050ceefd798f686ff92c67a486753d", size = 5957089, upload-time = "2026-01-10T06:43:27.535Z" }, + { url = "https://files.pythonhosted.org/packages/da/a6/cf32198b0b6e18d4fbfa9a21a992a7fca535b9bb2b0cdd217d4a3445b5ca/numpy-2.4.1-cp313-cp313-win_amd64.whl", hash = "sha256:92a0e65272fd60bfa0d9278e0484c2f52fe03b97aedc02b357f33fe752c52ffb", size = 12307230, upload-time = "2026-01-10T06:43:29.298Z" }, + { url = "https://files.pythonhosted.org/packages/44/6c/534d692bfb7d0afe30611320c5fb713659dcb5104d7cc182aff2aea092f5/numpy-2.4.1-cp313-cp313-win_arm64.whl", hash = "sha256:20d4649c773f66cc2fc36f663e091f57c3b7655f936a4c681b4250855d1da8f5", size = 10313125, upload-time = "2026-01-10T06:43:31.782Z" }, + { url = "https://files.pythonhosted.org/packages/da/a1/354583ac5c4caa566de6ddfbc42744409b515039e085fab6e0ff942e0df5/numpy-2.4.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:f93bc6892fe7b0663e5ffa83b61aab510aacffd58c16e012bb9352d489d90cb7", size = 12496156, upload-time = "2026-01-10T06:43:34.237Z" }, + { url = "https://files.pythonhosted.org/packages/51/b0/42807c6e8cce58c00127b1dc24d365305189991f2a7917aa694a109c8d7d/numpy-2.4.1-cp313-cp313t-macosx_14_0_arm64.whl", hash = "sha256:178de8f87948163d98a4c9ab5bee4ce6519ca918926ec8df195af582de28544d", size = 5324663, upload-time = "2026-01-10T06:43:36.211Z" }, + { url = "https://files.pythonhosted.org/packages/fe/55/7a621694010d92375ed82f312b2f28017694ed784775269115323e37f5e2/numpy-2.4.1-cp313-cp313t-macosx_14_0_x86_64.whl", hash = "sha256:98b35775e03ab7f868908b524fc0a84d38932d8daf7b7e1c3c3a1b6c7a2c9f15", size = 6645224, upload-time = "2026-01-10T06:43:37.884Z" }, + { url = "https://files.pythonhosted.org/packages/50/96/9fa8635ed9d7c847d87e30c834f7109fac5e88549d79ef3324ab5c20919f/numpy-2.4.1-cp313-cp313t-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:941c2a93313d030f219f3a71fd3d91a728b82979a5e8034eb2e60d394a2b83f9", size = 14462352, upload-time = "2026-01-10T06:43:39.479Z" }, + { url = "https://files.pythonhosted.org/packages/03/d1/8cf62d8bb2062da4fb82dd5d49e47c923f9c0738032f054e0a75342faba7/numpy-2.4.1-cp313-cp313t-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:529050522e983e00a6c1c6b67411083630de8b57f65e853d7b03d9281b8694d2", size = 16407279, upload-time = "2026-01-10T06:43:41.93Z" }, + { url = "https://files.pythonhosted.org/packages/86/1c/95c86e17c6b0b31ce6ef219da00f71113b220bcb14938c8d9a05cee0ff53/numpy-2.4.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:2302dc0224c1cbc49bb94f7064f3f923a971bfae45c33870dcbff63a2a550505", size = 16248316, upload-time = "2026-01-10T06:43:44.121Z" }, + { url = "https://files.pythonhosted.org/packages/30/b4/e7f5ff8697274c9d0fa82398b6a372a27e5cef069b37df6355ccb1f1db1a/numpy-2.4.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:9171a42fcad32dcf3fa86f0a4faa5e9f8facefdb276f54b8b390d90447cff4e2", size = 18329884, upload-time = "2026-01-10T06:43:46.613Z" }, + { url = "https://files.pythonhosted.org/packages/37/a4/b073f3e9d77f9aec8debe8ca7f9f6a09e888ad1ba7488f0c3b36a94c03ac/numpy-2.4.1-cp313-cp313t-win32.whl", hash = "sha256:382ad67d99ef49024f11d1ce5dcb5ad8432446e4246a4b014418ba3a1175a1f4", size = 6081138, upload-time = "2026-01-10T06:43:48.854Z" }, + { url = "https://files.pythonhosted.org/packages/16/16/af42337b53844e67752a092481ab869c0523bc95c4e5c98e4dac4e9581ac/numpy-2.4.1-cp313-cp313t-win_amd64.whl", hash = "sha256:62fea415f83ad8fdb6c20840578e5fbaf5ddd65e0ec6c3c47eda0f69da172510", size = 12447478, upload-time = "2026-01-10T06:43:50.476Z" }, + { url = "https://files.pythonhosted.org/packages/6c/f8/fa85b2eac68ec631d0b631abc448552cb17d39afd17ec53dcbcc3537681a/numpy-2.4.1-cp313-cp313t-win_arm64.whl", hash = "sha256:a7870e8c5fc11aef57d6fea4b4085e537a3a60ad2cdd14322ed531fdca68d261", size = 10382981, upload-time = "2026-01-10T06:43:52.575Z" }, + { url = "https://files.pythonhosted.org/packages/1b/a7/ef08d25698e0e4b4efbad8d55251d20fe2a15f6d9aa7c9b30cd03c165e6f/numpy-2.4.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:3869ea1ee1a1edc16c29bbe3a2f2a4e515cc3a44d43903ad41e0cacdbaf733dc", size = 16652046, upload-time = "2026-01-10T06:43:54.797Z" }, + { url = "https://files.pythonhosted.org/packages/8f/39/e378b3e3ca13477e5ac70293ec027c438d1927f18637e396fe90b1addd72/numpy-2.4.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:e867df947d427cdd7a60e3e271729090b0f0df80f5f10ab7dd436f40811699c3", size = 12378858, upload-time = "2026-01-10T06:43:57.099Z" }, + { url = "https://files.pythonhosted.org/packages/c3/74/7ec6154f0006910ed1fdbb7591cf4432307033102b8a22041599935f8969/numpy-2.4.1-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:e3bd2cb07841166420d2fa7146c96ce00cb3410664cbc1a6be028e456c4ee220", size = 5207417, upload-time = "2026-01-10T06:43:59.037Z" }, + { url = "https://files.pythonhosted.org/packages/f7/b7/053ac11820d84e42f8feea5cb81cc4fcd1091499b45b1ed8c7415b1bf831/numpy-2.4.1-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:f0a90aba7d521e6954670550e561a4cb925713bd944445dbe9e729b71f6cabee", size = 6542643, upload-time = "2026-01-10T06:44:01.852Z" }, + { url = "https://files.pythonhosted.org/packages/c0/c4/2e7908915c0e32ca636b92e4e4a3bdec4cb1e7eb0f8aedf1ed3c68a0d8cd/numpy-2.4.1-cp314-cp314-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5d558123217a83b2d1ba316b986e9248a1ed1971ad495963d555ccd75dcb1556", size = 14418963, upload-time = "2026-01-10T06:44:04.047Z" }, + { url = "https://files.pythonhosted.org/packages/eb/c0/3ed5083d94e7ffd7c404e54619c088e11f2e1939a9544f5397f4adb1b8ba/numpy-2.4.1-cp314-cp314-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2f44de05659b67d20499cbc96d49f2650769afcb398b79b324bb6e297bfe3844", size = 16363811, upload-time = "2026-01-10T06:44:06.207Z" }, + { url = "https://files.pythonhosted.org/packages/0e/68/42b66f1852bf525050a67315a4fb94586ab7e9eaa541b1bef530fab0c5dd/numpy-2.4.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:69e7419c9012c4aaf695109564e3387f1259f001b4326dfa55907b098af082d3", size = 16197643, upload-time = "2026-01-10T06:44:08.33Z" }, + { url = "https://files.pythonhosted.org/packages/d2/40/e8714fc933d85f82c6bfc7b998a0649ad9769a32f3494ba86598aaf18a48/numpy-2.4.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:2ffd257026eb1b34352e749d7cc1678b5eeec3e329ad8c9965a797e08ccba205", size = 18289601, upload-time = "2026-01-10T06:44:10.841Z" }, + { url = "https://files.pythonhosted.org/packages/80/9a/0d44b468cad50315127e884802351723daca7cf1c98d102929468c81d439/numpy-2.4.1-cp314-cp314-win32.whl", hash = "sha256:727c6c3275ddefa0dc078524a85e064c057b4f4e71ca5ca29a19163c607be745", size = 6005722, upload-time = "2026-01-10T06:44:13.332Z" }, + { url = "https://files.pythonhosted.org/packages/7e/bb/c6513edcce5a831810e2dddc0d3452ce84d208af92405a0c2e58fd8e7881/numpy-2.4.1-cp314-cp314-win_amd64.whl", hash = "sha256:7d5d7999df434a038d75a748275cd6c0094b0ecdb0837342b332a82defc4dc4d", size = 12438590, upload-time = "2026-01-10T06:44:15.006Z" }, + { url = "https://files.pythonhosted.org/packages/e9/da/a598d5cb260780cf4d255102deba35c1d072dc028c4547832f45dd3323a8/numpy-2.4.1-cp314-cp314-win_arm64.whl", hash = "sha256:ce9ce141a505053b3c7bce3216071f3bf5c182b8b28930f14cd24d43932cd2df", size = 10596180, upload-time = "2026-01-10T06:44:17.386Z" }, + { url = "https://files.pythonhosted.org/packages/de/bc/ea3f2c96fcb382311827231f911723aeff596364eb6e1b6d1d91128aa29b/numpy-2.4.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:4e53170557d37ae404bf8d542ca5b7c629d6efa1117dac6a83e394142ea0a43f", size = 12498774, upload-time = "2026-01-10T06:44:19.467Z" }, + { url = "https://files.pythonhosted.org/packages/aa/ab/ef9d939fe4a812648c7a712610b2ca6140b0853c5efea361301006c02ae5/numpy-2.4.1-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:a73044b752f5d34d4232f25f18160a1cc418ea4507f5f11e299d8ac36875f8a0", size = 5327274, upload-time = "2026-01-10T06:44:23.189Z" }, + { url = "https://files.pythonhosted.org/packages/bd/31/d381368e2a95c3b08b8cf7faac6004849e960f4a042d920337f71cef0cae/numpy-2.4.1-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:fb1461c99de4d040666ca0444057b06541e5642f800b71c56e6ea92d6a853a0c", size = 6648306, upload-time = "2026-01-10T06:44:25.012Z" }, + { url = "https://files.pythonhosted.org/packages/c8/e5/0989b44ade47430be6323d05c23207636d67d7362a1796ccbccac6773dd2/numpy-2.4.1-cp314-cp314t-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:423797bdab2eeefbe608d7c1ec7b2b4fd3c58d51460f1ee26c7500a1d9c9ee93", size = 14464653, upload-time = "2026-01-10T06:44:26.706Z" }, + { url = "https://files.pythonhosted.org/packages/10/a7/cfbe475c35371cae1358e61f20c5f075badc18c4797ab4354140e1d283cf/numpy-2.4.1-cp314-cp314t-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:52b5f61bdb323b566b528899cc7db2ba5d1015bda7ea811a8bcf3c89c331fa42", size = 16405144, upload-time = "2026-01-10T06:44:29.378Z" }, + { url = "https://files.pythonhosted.org/packages/f8/a3/0c63fe66b534888fa5177cc7cef061541064dbe2b4b60dcc60ffaf0d2157/numpy-2.4.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:42d7dd5fa36d16d52a84f821eb96031836fd405ee6955dd732f2023724d0aa01", size = 16247425, upload-time = "2026-01-10T06:44:31.721Z" }, + { url = "https://files.pythonhosted.org/packages/6b/2b/55d980cfa2c93bd40ff4c290bf824d792bd41d2fe3487b07707559071760/numpy-2.4.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:e7b6b5e28bbd47b7532698e5db2fe1db693d84b58c254e4389d99a27bb9b8f6b", size = 18330053, upload-time = "2026-01-10T06:44:34.617Z" }, + { url = "https://files.pythonhosted.org/packages/23/12/8b5fc6b9c487a09a7957188e0943c9ff08432c65e34567cabc1623b03a51/numpy-2.4.1-cp314-cp314t-win32.whl", hash = "sha256:5de60946f14ebe15e713a6f22850c2372fa72f4ff9a432ab44aa90edcadaa65a", size = 6152482, upload-time = "2026-01-10T06:44:36.798Z" }, + { url = "https://files.pythonhosted.org/packages/00/a5/9f8ca5856b8940492fc24fbe13c1bc34d65ddf4079097cf9e53164d094e1/numpy-2.4.1-cp314-cp314t-win_amd64.whl", hash = "sha256:8f085da926c0d491ffff3096f91078cc97ea67e7e6b65e490bc8dcda65663be2", size = 12627117, upload-time = "2026-01-10T06:44:38.828Z" }, + { url = "https://files.pythonhosted.org/packages/ad/0d/eca3d962f9eef265f01a8e0d20085c6dd1f443cbffc11b6dede81fd82356/numpy-2.4.1-cp314-cp314t-win_arm64.whl", hash = "sha256:6436cffb4f2bf26c974344439439c95e152c9a527013f26b3577be6c2ca64295", size = 10667121, upload-time = "2026-01-10T06:44:41.644Z" }, +] + +[[package]] +name = "packaging" +version = "26.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/65/ee/299d360cdc32edc7d2cf530f3accf79c4fca01e96ffc950d8a52213bd8e4/packaging-26.0.tar.gz", hash = "sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4", size = 143416, upload-time = "2026-01-21T20:50:39.064Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b7/b9/c538f279a4e237a006a2c98387d081e9eb060d203d8ed34467cc0f0b9b53/packaging-26.0-py3-none-any.whl", hash = "sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529", size = 74366, upload-time = "2026-01-21T20:50:37.788Z" }, +] + +[[package]] +name = "pandas" +version = "2.3.3" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "numpy" }, + { name = "python-dateutil" }, + { name = "pytz" }, + { name = "tzdata" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/33/01/d40b85317f86cf08d853a4f495195c73815fdf205eef3993821720274518/pandas-2.3.3.tar.gz", hash = "sha256:e05e1af93b977f7eafa636d043f9f94c7ee3ac81af99c13508215942e64c993b", size = 4495223, upload-time = "2025-09-29T23:34:51.853Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cd/4b/18b035ee18f97c1040d94debd8f2e737000ad70ccc8f5513f4eefad75f4b/pandas-2.3.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:56851a737e3470de7fa88e6131f41281ed440d29a9268dcbf0002da5ac366713", size = 11544671, upload-time = "2025-09-29T23:21:05.024Z" }, + { url = "https://files.pythonhosted.org/packages/31/94/72fac03573102779920099bcac1c3b05975c2cb5f01eac609faf34bed1ca/pandas-2.3.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:bdcd9d1167f4885211e401b3036c0c8d9e274eee67ea8d0758a256d60704cfe8", size = 10680807, upload-time = "2025-09-29T23:21:15.979Z" }, + { url = "https://files.pythonhosted.org/packages/16/87/9472cf4a487d848476865321de18cc8c920b8cab98453ab79dbbc98db63a/pandas-2.3.3-cp313-cp313-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:e32e7cc9af0f1cc15548288a51a3b681cc2a219faa838e995f7dc53dbab1062d", size = 11709872, upload-time = "2025-09-29T23:21:27.165Z" }, + { url = "https://files.pythonhosted.org/packages/15/07/284f757f63f8a8d69ed4472bfd85122bd086e637bf4ed09de572d575a693/pandas-2.3.3-cp313-cp313-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:318d77e0e42a628c04dc56bcef4b40de67918f7041c2b061af1da41dcff670ac", size = 12306371, upload-time = "2025-09-29T23:21:40.532Z" }, + { url = "https://files.pythonhosted.org/packages/33/81/a3afc88fca4aa925804a27d2676d22dcd2031c2ebe08aabd0ae55b9ff282/pandas-2.3.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4e0a175408804d566144e170d0476b15d78458795bb18f1304fb94160cabf40c", size = 12765333, upload-time = "2025-09-29T23:21:55.77Z" }, + { url = "https://files.pythonhosted.org/packages/8d/0f/b4d4ae743a83742f1153464cf1a8ecfafc3ac59722a0b5c8602310cb7158/pandas-2.3.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:93c2d9ab0fc11822b5eece72ec9587e172f63cff87c00b062f6e37448ced4493", size = 13418120, upload-time = "2025-09-29T23:22:10.109Z" }, + { url = "https://files.pythonhosted.org/packages/4f/c7/e54682c96a895d0c808453269e0b5928a07a127a15704fedb643e9b0a4c8/pandas-2.3.3-cp313-cp313-win_amd64.whl", hash = "sha256:f8bfc0e12dc78f777f323f55c58649591b2cd0c43534e8355c51d3fede5f4dee", size = 10993991, upload-time = "2025-09-29T23:25:04.889Z" }, + { url = "https://files.pythonhosted.org/packages/f9/ca/3f8d4f49740799189e1395812f3bf23b5e8fc7c190827d55a610da72ce55/pandas-2.3.3-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:75ea25f9529fdec2d2e93a42c523962261e567d250b0013b16210e1d40d7c2e5", size = 12048227, upload-time = "2025-09-29T23:22:24.343Z" }, + { url = "https://files.pythonhosted.org/packages/0e/5a/f43efec3e8c0cc92c4663ccad372dbdff72b60bdb56b2749f04aa1d07d7e/pandas-2.3.3-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:74ecdf1d301e812db96a465a525952f4dde225fdb6d8e5a521d47e1f42041e21", size = 11411056, upload-time = "2025-09-29T23:22:37.762Z" }, + { url = "https://files.pythonhosted.org/packages/46/b1/85331edfc591208c9d1a63a06baa67b21d332e63b7a591a5ba42a10bb507/pandas-2.3.3-cp313-cp313t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6435cb949cb34ec11cc9860246ccb2fdc9ecd742c12d3304989017d53f039a78", size = 11645189, upload-time = "2025-09-29T23:22:51.688Z" }, + { url = "https://files.pythonhosted.org/packages/44/23/78d645adc35d94d1ac4f2a3c4112ab6f5b8999f4898b8cdf01252f8df4a9/pandas-2.3.3-cp313-cp313t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:900f47d8f20860de523a1ac881c4c36d65efcb2eb850e6948140fa781736e110", size = 12121912, upload-time = "2025-09-29T23:23:05.042Z" }, + { url = "https://files.pythonhosted.org/packages/53/da/d10013df5e6aaef6b425aa0c32e1fc1f3e431e4bcabd420517dceadce354/pandas-2.3.3-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:a45c765238e2ed7d7c608fc5bc4a6f88b642f2f01e70c0c23d2224dd21829d86", size = 12712160, upload-time = "2025-09-29T23:23:28.57Z" }, + { url = "https://files.pythonhosted.org/packages/bd/17/e756653095a083d8a37cbd816cb87148debcfcd920129b25f99dd8d04271/pandas-2.3.3-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:c4fc4c21971a1a9f4bdb4c73978c7f7256caa3e62b323f70d6cb80db583350bc", size = 13199233, upload-time = "2025-09-29T23:24:24.876Z" }, + { url = "https://files.pythonhosted.org/packages/04/fd/74903979833db8390b73b3a8a7d30d146d710bd32703724dd9083950386f/pandas-2.3.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:ee15f284898e7b246df8087fc82b87b01686f98ee67d85a17b7ab44143a3a9a0", size = 11540635, upload-time = "2025-09-29T23:25:52.486Z" }, + { url = "https://files.pythonhosted.org/packages/21/00/266d6b357ad5e6d3ad55093a7e8efc7dd245f5a842b584db9f30b0f0a287/pandas-2.3.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:1611aedd912e1ff81ff41c745822980c49ce4a7907537be8692c8dbc31924593", size = 10759079, upload-time = "2025-09-29T23:26:33.204Z" }, + { url = "https://files.pythonhosted.org/packages/ca/05/d01ef80a7a3a12b2f8bbf16daba1e17c98a2f039cbc8e2f77a2c5a63d382/pandas-2.3.3-cp314-cp314-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6d2cefc361461662ac48810cb14365a365ce864afe85ef1f447ff5a1e99ea81c", size = 11814049, upload-time = "2025-09-29T23:27:15.384Z" }, + { url = "https://files.pythonhosted.org/packages/15/b2/0e62f78c0c5ba7e3d2c5945a82456f4fac76c480940f805e0b97fcbc2f65/pandas-2.3.3-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ee67acbbf05014ea6c763beb097e03cd629961c8a632075eeb34247120abcb4b", size = 12332638, upload-time = "2025-09-29T23:27:51.625Z" }, + { url = "https://files.pythonhosted.org/packages/c5/33/dd70400631b62b9b29c3c93d2feee1d0964dc2bae2e5ad7a6c73a7f25325/pandas-2.3.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:c46467899aaa4da076d5abc11084634e2d197e9460643dd455ac3db5856b24d6", size = 12886834, upload-time = "2025-09-29T23:28:21.289Z" }, + { url = "https://files.pythonhosted.org/packages/d3/18/b5d48f55821228d0d2692b34fd5034bb185e854bdb592e9c640f6290e012/pandas-2.3.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:6253c72c6a1d990a410bc7de641d34053364ef8bcd3126f7e7450125887dffe3", size = 13409925, upload-time = "2025-09-29T23:28:58.261Z" }, + { url = "https://files.pythonhosted.org/packages/a6/3d/124ac75fcd0ecc09b8fdccb0246ef65e35b012030defb0e0eba2cbbbe948/pandas-2.3.3-cp314-cp314-win_amd64.whl", hash = "sha256:1b07204a219b3b7350abaae088f451860223a52cfb8a6c53358e7948735158e5", size = 11109071, upload-time = "2025-09-29T23:32:27.484Z" }, + { url = "https://files.pythonhosted.org/packages/89/9c/0e21c895c38a157e0faa1fb64587a9226d6dd46452cac4532d80c3c4a244/pandas-2.3.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:2462b1a365b6109d275250baaae7b760fd25c726aaca0054649286bcfbb3e8ec", size = 12048504, upload-time = "2025-09-29T23:29:31.47Z" }, + { url = "https://files.pythonhosted.org/packages/d7/82/b69a1c95df796858777b68fbe6a81d37443a33319761d7c652ce77797475/pandas-2.3.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0242fe9a49aa8b4d78a4fa03acb397a58833ef6199e9aa40a95f027bb3a1b6e7", size = 11410702, upload-time = "2025-09-29T23:29:54.591Z" }, + { url = "https://files.pythonhosted.org/packages/f9/88/702bde3ba0a94b8c73a0181e05144b10f13f29ebfc2150c3a79062a8195d/pandas-2.3.3-cp314-cp314t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a21d830e78df0a515db2b3d2f5570610f5e6bd2e27749770e8bb7b524b89b450", size = 11634535, upload-time = "2025-09-29T23:30:21.003Z" }, + { url = "https://files.pythonhosted.org/packages/a4/1e/1bac1a839d12e6a82ec6cb40cda2edde64a2013a66963293696bbf31fbbb/pandas-2.3.3-cp314-cp314t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2e3ebdb170b5ef78f19bfb71b0dc5dc58775032361fa188e814959b74d726dd5", size = 12121582, upload-time = "2025-09-29T23:30:43.391Z" }, + { url = "https://files.pythonhosted.org/packages/44/91/483de934193e12a3b1d6ae7c8645d083ff88dec75f46e827562f1e4b4da6/pandas-2.3.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:d051c0e065b94b7a3cea50eb1ec32e912cd96dba41647eb24104b6c6c14c5788", size = 12699963, upload-time = "2025-09-29T23:31:10.009Z" }, + { url = "https://files.pythonhosted.org/packages/70/44/5191d2e4026f86a2a109053e194d3ba7a31a2d10a9c2348368c63ed4e85a/pandas-2.3.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:3869faf4bd07b3b66a9f462417d0ca3a9df29a9f6abd5d0d0dbab15dac7abe87", size = 13202175, upload-time = "2025-09-29T23:31:59.173Z" }, +] + +[[package]] +name = "pexpect" +version = "4.9.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "ptyprocess" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/42/92/cc564bf6381ff43ce1f4d06852fc19a2f11d180f23dc32d9588bee2f149d/pexpect-4.9.0.tar.gz", hash = "sha256:ee7d41123f3c9911050ea2c2dac107568dc43b2d3b0c7557a33212c398ead30f", size = 166450, upload-time = "2023-11-25T09:07:26.339Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/9e/c3/059298687310d527a58bb01f3b1965787ee3b40dce76752eda8b44e9a2c5/pexpect-4.9.0-py2.py3-none-any.whl", hash = "sha256:7236d1e080e4936be2dc3e326cec0af72acf9212a7e1d060210e70a47e253523", size = 63772, upload-time = "2023-11-25T06:56:14.81Z" }, +] + +[[package]] +name = "ptyprocess" +version = "0.7.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/20/e5/16ff212c1e452235a90aeb09066144d0c5a6a8c0834397e03f5224495c4e/ptyprocess-0.7.0.tar.gz", hash = "sha256:5c5d0a3b48ceee0b48485e0c26037c0acd7d29765ca3fbb5cb3831d347423220", size = 70762, upload-time = "2020-12-28T15:15:30.155Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/22/a6/858897256d0deac81a172289110f31629fc4cee19b6f01283303e18c8db3/ptyprocess-0.7.0-py2.py3-none-any.whl", hash = "sha256:4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35", size = 13993, upload-time = "2020-12-28T15:15:28.35Z" }, +] + +[[package]] +name = "pygments" +version = "2.19.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" }, +] + +[[package]] +name = "python-daemon" +version = "3.1.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "lockfile" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/3d/37/4f10e37bdabc058a32989da2daf29e57dc59dbc5395497f3d36d5f5e2694/python_daemon-3.1.2.tar.gz", hash = "sha256:f7b04335adc473de877f5117e26d5f1142f4c9f7cd765408f0877757be5afbf4", size = 71576, upload-time = "2024-12-03T08:41:07.843Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/45/3c/b88167e2d6785c0e781ee5d498b07472aeb9b6765da3b19e7cc9e0813841/python_daemon-3.1.2-py3-none-any.whl", hash = "sha256:b906833cef63502994ad48e2eab213259ed9bb18d54fa8774dcba2ff7864cec6", size = 30872, upload-time = "2024-12-03T08:41:03.322Z" }, +] + +[[package]] +name = "python-dateutil" +version = "2.9.0.post0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "six" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/66/c0/0c8b6ad9f17a802ee498c46e004a0eb49bc148f2fd230864601a86dcf6db/python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3", size = 342432, upload-time = "2024-03-01T18:36:20.211Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427", size = 229892, upload-time = "2024-03-01T18:36:18.57Z" }, +] + +[[package]] +name = "pytz" +version = "2025.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f8/bf/abbd3cdfb8fbc7fb3d4d38d320f2441b1e7cbe29be4f23797b4a2b5d8aac/pytz-2025.2.tar.gz", hash = "sha256:360b9e3dbb49a209c21ad61809c7fb453643e048b38924c765813546746e81c3", size = 320884, upload-time = "2025-03-25T02:25:00.538Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/81/c4/34e93fe5f5429d7570ec1fa436f1986fb1f00c3e0f43a589fe2bbcd22c3f/pytz-2025.2-py2.py3-none-any.whl", hash = "sha256:5ddf76296dd8c44c26eb8f4b6f35488f3ccbf6fbbd7adee0b7262d43f0ec2f00", size = 509225, upload-time = "2025-03-25T02:24:58.468Z" }, +] + +[[package]] +name = "pyyaml" +version = "6.0.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/05/8e/961c0007c59b8dd7729d542c61a4d537767a59645b82a0b521206e1e25c2/pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f", size = 130960, upload-time = "2025-09-25T21:33:16.546Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d1/11/0fd08f8192109f7169db964b5707a2f1e8b745d4e239b784a5a1dd80d1db/pyyaml-6.0.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8", size = 181669, upload-time = "2025-09-25T21:32:23.673Z" }, + { url = "https://files.pythonhosted.org/packages/b1/16/95309993f1d3748cd644e02e38b75d50cbc0d9561d21f390a76242ce073f/pyyaml-6.0.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1", size = 173252, upload-time = "2025-09-25T21:32:25.149Z" }, + { url = "https://files.pythonhosted.org/packages/50/31/b20f376d3f810b9b2371e72ef5adb33879b25edb7a6d072cb7ca0c486398/pyyaml-6.0.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c", size = 767081, upload-time = "2025-09-25T21:32:26.575Z" }, + { url = "https://files.pythonhosted.org/packages/49/1e/a55ca81e949270d5d4432fbbd19dfea5321eda7c41a849d443dc92fd1ff7/pyyaml-6.0.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5", size = 841159, upload-time = "2025-09-25T21:32:27.727Z" }, + { url = "https://files.pythonhosted.org/packages/74/27/e5b8f34d02d9995b80abcef563ea1f8b56d20134d8f4e5e81733b1feceb2/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6", size = 801626, upload-time = "2025-09-25T21:32:28.878Z" }, + { url = "https://files.pythonhosted.org/packages/f9/11/ba845c23988798f40e52ba45f34849aa8a1f2d4af4b798588010792ebad6/pyyaml-6.0.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6", size = 753613, upload-time = "2025-09-25T21:32:30.178Z" }, + { url = "https://files.pythonhosted.org/packages/3d/e0/7966e1a7bfc0a45bf0a7fb6b98ea03fc9b8d84fa7f2229e9659680b69ee3/pyyaml-6.0.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be", size = 794115, upload-time = "2025-09-25T21:32:31.353Z" }, + { url = "https://files.pythonhosted.org/packages/de/94/980b50a6531b3019e45ddeada0626d45fa85cbe22300844a7983285bed3b/pyyaml-6.0.3-cp313-cp313-win32.whl", hash = "sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26", size = 137427, upload-time = "2025-09-25T21:32:32.58Z" }, + { url = "https://files.pythonhosted.org/packages/97/c9/39d5b874e8b28845e4ec2202b5da735d0199dbe5b8fb85f91398814a9a46/pyyaml-6.0.3-cp313-cp313-win_amd64.whl", hash = "sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c", size = 154090, upload-time = "2025-09-25T21:32:33.659Z" }, + { url = "https://files.pythonhosted.org/packages/73/e8/2bdf3ca2090f68bb3d75b44da7bbc71843b19c9f2b9cb9b0f4ab7a5a4329/pyyaml-6.0.3-cp313-cp313-win_arm64.whl", hash = "sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb", size = 140246, upload-time = "2025-09-25T21:32:34.663Z" }, + { url = "https://files.pythonhosted.org/packages/9d/8c/f4bd7f6465179953d3ac9bc44ac1a8a3e6122cf8ada906b4f96c60172d43/pyyaml-6.0.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac", size = 181814, upload-time = "2025-09-25T21:32:35.712Z" }, + { url = "https://files.pythonhosted.org/packages/bd/9c/4d95bb87eb2063d20db7b60faa3840c1b18025517ae857371c4dd55a6b3a/pyyaml-6.0.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310", size = 173809, upload-time = "2025-09-25T21:32:36.789Z" }, + { url = "https://files.pythonhosted.org/packages/92/b5/47e807c2623074914e29dabd16cbbdd4bf5e9b2db9f8090fa64411fc5382/pyyaml-6.0.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7", size = 766454, upload-time = "2025-09-25T21:32:37.966Z" }, + { url = "https://files.pythonhosted.org/packages/02/9e/e5e9b168be58564121efb3de6859c452fccde0ab093d8438905899a3a483/pyyaml-6.0.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788", size = 836355, upload-time = "2025-09-25T21:32:39.178Z" }, + { url = "https://files.pythonhosted.org/packages/88/f9/16491d7ed2a919954993e48aa941b200f38040928474c9e85ea9e64222c3/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5", size = 794175, upload-time = "2025-09-25T21:32:40.865Z" }, + { url = "https://files.pythonhosted.org/packages/dd/3f/5989debef34dc6397317802b527dbbafb2b4760878a53d4166579111411e/pyyaml-6.0.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764", size = 755228, upload-time = "2025-09-25T21:32:42.084Z" }, + { url = "https://files.pythonhosted.org/packages/d7/ce/af88a49043cd2e265be63d083fc75b27b6ed062f5f9fd6cdc223ad62f03e/pyyaml-6.0.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35", size = 789194, upload-time = "2025-09-25T21:32:43.362Z" }, + { url = "https://files.pythonhosted.org/packages/23/20/bb6982b26a40bb43951265ba29d4c246ef0ff59c9fdcdf0ed04e0687de4d/pyyaml-6.0.3-cp314-cp314-win_amd64.whl", hash = "sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac", size = 156429, upload-time = "2025-09-25T21:32:57.844Z" }, + { url = "https://files.pythonhosted.org/packages/f4/f4/a4541072bb9422c8a883ab55255f918fa378ecf083f5b85e87fc2b4eda1b/pyyaml-6.0.3-cp314-cp314-win_arm64.whl", hash = "sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3", size = 143912, upload-time = "2025-09-25T21:32:59.247Z" }, + { url = "https://files.pythonhosted.org/packages/7c/f9/07dd09ae774e4616edf6cda684ee78f97777bdd15847253637a6f052a62f/pyyaml-6.0.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3", size = 189108, upload-time = "2025-09-25T21:32:44.377Z" }, + { url = "https://files.pythonhosted.org/packages/4e/78/8d08c9fb7ce09ad8c38ad533c1191cf27f7ae1effe5bb9400a46d9437fcf/pyyaml-6.0.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba", size = 183641, upload-time = "2025-09-25T21:32:45.407Z" }, + { url = "https://files.pythonhosted.org/packages/7b/5b/3babb19104a46945cf816d047db2788bcaf8c94527a805610b0289a01c6b/pyyaml-6.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c", size = 831901, upload-time = "2025-09-25T21:32:48.83Z" }, + { url = "https://files.pythonhosted.org/packages/8b/cc/dff0684d8dc44da4d22a13f35f073d558c268780ce3c6ba1b87055bb0b87/pyyaml-6.0.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702", size = 861132, upload-time = "2025-09-25T21:32:50.149Z" }, + { url = "https://files.pythonhosted.org/packages/b1/5e/f77dc6b9036943e285ba76b49e118d9ea929885becb0a29ba8a7c75e29fe/pyyaml-6.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c", size = 839261, upload-time = "2025-09-25T21:32:51.808Z" }, + { url = "https://files.pythonhosted.org/packages/ce/88/a9db1376aa2a228197c58b37302f284b5617f56a5d959fd1763fb1675ce6/pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065", size = 805272, upload-time = "2025-09-25T21:32:52.941Z" }, + { url = "https://files.pythonhosted.org/packages/da/92/1446574745d74df0c92e6aa4a7b0b3130706a4142b2d1a5869f2eaa423c6/pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65", size = 829923, upload-time = "2025-09-25T21:32:54.537Z" }, + { url = "https://files.pythonhosted.org/packages/f0/7a/1c7270340330e575b92f397352af856a8c06f230aa3e76f86b39d01b416a/pyyaml-6.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9", size = 174062, upload-time = "2025-09-25T21:32:55.767Z" }, + { url = "https://files.pythonhosted.org/packages/f1/12/de94a39c2ef588c7e6455cfbe7343d3b2dc9d6b6b2f40c4c6565744c873d/pyyaml-6.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b", size = 149341, upload-time = "2025-09-25T21:32:56.828Z" }, +] + +[[package]] +name = "requests" +version = "2.32.5" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "certifi" }, + { name = "charset-normalizer" }, + { name = "idna" }, + { name = "urllib3" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/c9/74/b3ff8e6c8446842c3f5c837e9c3dfcfe2018ea6ecef224c710c85ef728f4/requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf", size = 134517, upload-time = "2025-08-18T20:46:02.573Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6", size = 64738, upload-time = "2025-08-18T20:46:00.542Z" }, +] + +[[package]] +name = "rich" +version = "14.2.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "markdown-it-py" }, + { name = "pygments" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/fb/d2/8920e102050a0de7bfabeb4c4614a49248cf8d5d7a8d01885fbb24dc767a/rich-14.2.0.tar.gz", hash = "sha256:73ff50c7c0c1c77c8243079283f4edb376f0f6442433aecb8ce7e6d0b92d1fe4", size = 219990, upload-time = "2025-10-09T14:16:53.064Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/25/7a/b0178788f8dc6cafce37a212c99565fa1fe7872c70c6c9c1e1a372d9d88f/rich-14.2.0-py3-none-any.whl", hash = "sha256:76bc51fe2e57d2b1be1f96c524b890b816e334ab4c1e45888799bfaab0021edd", size = 243393, upload-time = "2025-10-09T14:16:51.245Z" }, +] + +[[package]] +name = "shellingham" +version = "1.5.4" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/58/15/8b3609fd3830ef7b27b655beb4b4e9c62313a4e8da8c676e142cc210d58e/shellingham-1.5.4.tar.gz", hash = "sha256:8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de", size = 10310, upload-time = "2023-10-24T04:13:40.426Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/e0/f9/0595336914c5619e5f28a1fb793285925a8cd4b432c9da0a987836c7f822/shellingham-1.5.4-py2.py3-none-any.whl", hash = "sha256:7ecfff8f2fd72616f7481040475a65b2bf8af90a56c89140852d1120324e8686", size = 9755, upload-time = "2023-10-24T04:13:38.866Z" }, +] + +[[package]] +name = "six" +version = "1.17.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/94/e7/b2c673351809dca68a0e064b6af791aa332cf192da575fd474ed7d6f16a2/six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81", size = 34031, upload-time = "2024-12-04T17:35:28.174Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050, upload-time = "2024-12-04T17:35:26.475Z" }, +] + +[[package]] +name = "total-replay" +version = "0.1.0" +source = { editable = "." } +dependencies = [ + { name = "ansible-runner" }, + { name = "colorama" }, + { name = "pandas" }, + { name = "pyyaml" }, + { name = "requests" }, + { name = "rich" }, + { name = "typer" }, + { name = "urllib3" }, +] + +[package.metadata] +requires-dist = [ + { name = "ansible-runner", specifier = ">=2.4.2,<3.0.0" }, + { name = "colorama", specifier = ">=0.4.6,<0.5.0" }, + { name = "pandas", specifier = ">=2.3.3,<3.0.0" }, + { name = "pyyaml", specifier = ">=6.0.3,<7.0.0" }, + { name = "requests", specifier = ">=2.32.5,<3.0.0" }, + { name = "rich", specifier = ">=14.2.0,<15.0.0" }, + { name = "typer", specifier = ">=0.20.0,<0.21.0" }, + { name = "urllib3", specifier = ">=2.6.0,<3.0.0" }, +] + +[[package]] +name = "typer" +version = "0.20.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "click" }, + { name = "rich" }, + { name = "shellingham" }, + { name = "typing-extensions" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/6d/c1/933d30fd7a123ed981e2a1eedafceab63cb379db0402e438a13bc51bbb15/typer-0.20.1.tar.gz", hash = "sha256:68585eb1b01203689c4199bc440d6be616f0851e9f0eb41e4a778845c5a0fd5b", size = 105968, upload-time = "2025-12-19T16:48:56.302Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c8/52/1f2df7e7d1be3d65ddc2936d820d4a3d9777a54f4204f5ca46b8513eff77/typer-0.20.1-py3-none-any.whl", hash = "sha256:4b3bde918a67c8e03d861aa02deca90a95bbac572e71b1b9be56ff49affdb5a8", size = 47381, upload-time = "2025-12-19T16:48:53.679Z" }, +] + +[[package]] +name = "typing-extensions" +version = "4.15.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/72/94/1a15dd82efb362ac84269196e94cf00f187f7ed21c242792a923cdb1c61f/typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466", size = 109391, upload-time = "2025-08-25T13:49:26.313Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/18/67/36e9267722cc04a6b9f15c7f3441c2363321a3ea07da7ae0c0707beb2a9c/typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548", size = 44614, upload-time = "2025-08-25T13:49:24.86Z" }, +] + +[[package]] +name = "tzdata" +version = "2025.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/5e/a7/c202b344c5ca7daf398f3b8a477eeb205cf3b6f32e7ec3a6bac0629ca975/tzdata-2025.3.tar.gz", hash = "sha256:de39c2ca5dc7b0344f2eba86f49d614019d29f060fc4ebc8a417896a620b56a7", size = 196772, upload-time = "2025-12-13T17:45:35.667Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c7/b0/003792df09decd6849a5e39c28b513c06e84436a54440380862b5aeff25d/tzdata-2025.3-py2.py3-none-any.whl", hash = "sha256:06a47e5700f3081aab02b2e513160914ff0694bce9947d6b76ebd6bf57cfc5d1", size = 348521, upload-time = "2025-12-13T17:45:33.889Z" }, +] + +[[package]] +name = "urllib3" +version = "2.6.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, +]