10341000x800000000000000023364Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023363Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023362Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023361Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023360Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023359Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023358Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023357Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023356Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023355Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023354Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023353Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023352Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023351Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023350Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023349Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023348Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023347Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023346Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023345Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023344Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023343Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023342Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023341Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023340Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023339Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023338Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:33:57.394{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023372Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A2-5FCF-0000-001016EE3400}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023371Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023370Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023369Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023368Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023367Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-56A2-5FCF-0000-001016EE3400}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023366Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.378{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A2-5FCF-0000-001016EE3400}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023365Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:10.379{7E531255-56A2-5FCF-0000-001016EE3400}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023380Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A3-5FCF-0000-0010DCEF3400}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023379Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023378Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023377Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023376Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023375Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-56A3-5FCF-0000-0010DCEF3400}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023374Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.550{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A3-5FCF-0000-0010DCEF3400}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023373Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:11.551{7E531255-56A3-5FCF-0000-0010DCEF3400}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023389Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.363{7E531255-56A4-5FCF-0000-001098F13400}60046936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023388Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A4-5FCF-0000-001098F13400}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023387Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023386Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023385Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023384Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023383Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-56A4-5FCF-0000-001098F13400}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023382Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.222{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A4-5FCF-0000-001098F13400}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023381Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:12.223{7E531255-56A4-5FCF-0000-001098F13400}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023398Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.472{7E531255-56A6-5FCF-0000-001093F33400}63124372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023397Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A6-5FCF-0000-001093F33400}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023396Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023395Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023394Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023393Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023392Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-56A6-5FCF-0000-001093F33400}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023391Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.331{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A6-5FCF-0000-001093F33400}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023390Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:14.332{7E531255-56A6-5FCF-0000-001093F33400}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023416Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.816{7E531255-56A7-5FCF-0000-001049F73400}54402060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023415Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A7-5FCF-0000-001049F73400}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023414Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023413Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023412Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023411Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023410Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-56A7-5FCF-0000-001049F73400}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023409Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.675{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A7-5FCF-0000-001049F73400}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023408Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.676{7E531255-56A7-5FCF-0000-001049F73400}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023407Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.144{7E531255-56A7-5FCF-0000-00108DF53400}47485192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023406Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A7-5FCF-0000-00108DF53400}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023405Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023404Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023403Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023402Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023401Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-56A7-5FCF-0000-00108DF53400}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023400Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.003{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A7-5FCF-0000-00108DF53400}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023399Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:15.004{7E531255-56A7-5FCF-0000-00108DF53400}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023424Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56A8-5FCF-0000-001014F93400}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023423Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023422Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023421Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023420Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023419Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-56A8-5FCF-0000-001014F93400}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023418Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.425{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56A8-5FCF-0000-001014F93400}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023417Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:34:16.426{7E531255-56A8-5FCF-0000-001014F93400}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023432Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56DE-5FCF-0000-00101E053500}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023431Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023430Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023429Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023428Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023427Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-56DE-5FCF-0000-00101E053500}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023426Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56DE-5FCF-0000-00101E053500}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023425Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:10.377{7E531255-56DE-5FCF-0000-00101E053500}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023440Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56DF-5FCF-0000-0010E2063500}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023439Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023438Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023437Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023436Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023435Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-56DF-5FCF-0000-0010E2063500}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023434Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.548{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56DF-5FCF-0000-0010E2063500}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023433Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:11.549{7E531255-56DF-5FCF-0000-0010E2063500}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023449Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.314{7E531255-56E0-5FCF-0000-00108F083500}69284152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023448Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56E0-5FCF-0000-00108F083500}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023447Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023446Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023445Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023444Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023443Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-56E0-5FCF-0000-00108F083500}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023442Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.173{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56E0-5FCF-0000-00108F083500}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023441Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:12.174{7E531255-56E0-5FCF-0000-00108F083500}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023458Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.470{7E531255-56E2-5FCF-0000-0010990A3500}13686308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023457Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56E2-5FCF-0000-0010990A3500}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023456Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023455Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023454Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023453Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023452Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-56E2-5FCF-0000-0010990A3500}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023451Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56E2-5FCF-0000-0010990A3500}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023450Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:14.330{7E531255-56E2-5FCF-0000-0010990A3500}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023476Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.814{7E531255-56E3-5FCF-0000-0010EC0D3500}46325232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023475Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56E3-5FCF-0000-0010EC0D3500}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023474Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023473Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023472Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023471Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023470Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-56E3-5FCF-0000-0010EC0D3500}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023469Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.673{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56E3-5FCF-0000-0010EC0D3500}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023468Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.674{7E531255-56E3-5FCF-0000-0010EC0D3500}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023467Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.142{7E531255-56E3-5FCF-0000-0010290C3500}71566832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023466Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56E3-5FCF-0000-0010290C3500}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023465Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023464Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023463Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023462Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023461Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-56E3-5FCF-0000-0010290C3500}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023460Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.001{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56E3-5FCF-0000-0010290C3500}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023459Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:15.002{7E531255-56E3-5FCF-0000-0010290C3500}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023484Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-56E4-5FCF-0000-001023103500}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023483Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023482Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023481Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023480Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023479Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-56E4-5FCF-0000-001023103500}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023478Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.423{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-56E4-5FCF-0000-001023103500}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023477Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:16.424{7E531255-56E4-5FCF-0000-001023103500}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000023490Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000023489Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000023488Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000023487Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6cd4d-0xdcf9587f) 13241300x800000000000000023486Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000023485Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:35:35.751{7E531255-3C72-5FCF-0000-001086CD0000}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 10341000x800000000000000023497Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023496Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023495Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023494Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023493Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023492Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023491Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:50.032{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023539Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.485{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023538Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.485{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023537Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.485{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023536Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3D7C-5FCF-0000-0010020F0700}26962676C:\Windows\system32\csrss.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023535Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023534Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010D0223500}4420C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023533Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023532Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023531Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.469{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023530Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3D7C-5FCF-0000-0010020F0700}26962676C:\Windows\system32\csrss.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023529Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023528Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-570A-5FCF-0000-0010B4203500}828C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023527Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+164d7|C:\Windows\system32\windows.cortana.Desktop.dll+12c8b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023526Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+12c21|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023525Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023524Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.453{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023523Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023522Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023521Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023520Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023519Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023518Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.422{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023517Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023516Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023515Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023514Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023513Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023512Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023511Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-001000AA0000}9961040C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023510Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023509Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023508Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023507Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023506Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023505Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023504Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023503Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023502Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42924988C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023501Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42924988C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023500Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023499Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a704|C:\Windows\System32\TwinUI.dll+1a608|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000023498Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:54.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+18985|C:\Windows\System32\TwinUI.dll+1a76c|C:\Windows\System32\TwinUI.dll+1a5f5|C:\Windows\System32\TwinUI.dll+1ba5f|C:\Windows\System32\TwinUI.dll+1a02d|C:\Windows\System32\TwinUI.dll+1cef1|C:\Windows\System32\TwinUI.dll+40e510|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0 10341000x800000000000000023618Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023617Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023616Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023615Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023614Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023613Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023612Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023611Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.953{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023610Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023609Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023608Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023607Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023606Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023605Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023604Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023603Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.844{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023602Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023601Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023600Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023599Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023598Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023597Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023596Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023595Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.735{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023594Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023593Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023592Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023591Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023590Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023589Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023588Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023587Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.578{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023586Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.563{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023585Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.563{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023584Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.563{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023583Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023582Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023581Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023580Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023579Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023578Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023577Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023576Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.402{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023575Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023574Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023573Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023572Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023571Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023570Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023569Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023568Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.360{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023567Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023566Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24362092C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023565Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023564Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023563Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023562Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023561Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24362972C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023560Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.281{7E531255-3D7E-5FCF-0000-0010533A0800}24362972C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023559Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023558Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023557Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24362972C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023556Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24362972C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023555Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023554Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023553Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023552Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023551Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023550Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023549Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023548Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023547Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023546Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.110{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023545Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+79be|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023544Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\execmodelclient.dll+791a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023543Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7F-5FCF-0000-00104D7C0800}42926664C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023542Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7F-5FCF-0000-00104D7C0800}42926664C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023541Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023540Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:55.094{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023678Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.563{7E531255-3C70-5FCF-0000-001030540000}8682188C:\Windows\system32\lsass.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023677Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.563{7E531255-3C70-5FCF-0000-001030540000}8682188C:\Windows\system32\lsass.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000023676Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.531{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bh4rb0pr.2hg.ps12020-12-08 10:35:56.531 10341000x800000000000000023675Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.516{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023674Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7227|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023673Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\windows.storage.dll+e7192|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023672Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023671Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+e7177|C:\Windows\System32\windows.storage.dll+e6b53|C:\Windows\System32\windows.storage.dll+e69d9|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023670Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\windows.storage.dll+13656e|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023669Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+13655c|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023668Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.500{7E531255-570C-5FCF-0000-00106B363500}50126316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\windows.storage.dll+13655c|C:\Windows\System32\windows.storage.dll+e6aac|C:\Windows\System32\windows.storage.dll+e6888|C:\Windows\System32\windows.storage.dll+1de15|C:\Windows\System32\windows.storage.dll+1dd5d|C:\Windows\System32\windows.storage.dll+1c1a6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023667Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.469{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023666Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.453{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023665Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.453{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023664Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.453{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023663Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.453{7E531255-3D7F-5FCF-0000-00104D7C0800}42923744C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023662Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7E-5FCF-0000-001039470800}32722620C:\Windows\system32\taskhostw.exe{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023661Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42926964C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+12d84|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023660Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42926964C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+12d84|C:\Windows\Explorer.EXE+2fdf8|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023659Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42926964C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023658Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42926964C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023657Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42926964C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023656Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023655Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023654Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023653Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.438{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023652Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023651Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023650Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-570C-5FCF-0000-001051373500}2086520C:\Windows\system32\conhost.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023649Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023648Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f40ac|C:\Windows\System32\TwinUI.dll+f4bf7|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e 10341000x800000000000000023647Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7C-5FCF-0000-0010020F0700}26964268C:\Windows\system32\csrss.exe{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023646Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023645Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925684C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023644Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42925684C:\Windows\Explorer.EXE{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023643Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d966|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023642Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3D7F-5FCF-0000-00104D7C0800}42923752C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d8be|C:\Windows\SYSTEM32\twinapi.appcore.dll+2d331|C:\Windows\SYSTEM32\twinapi.appcore.dll+2ec2c|C:\Windows\SYSTEM32\twinapi.appcore.dll+2c467|C:\Windows\System32\TwinUI.dll+f88c6|C:\Windows\System32\TwinUI.dll+ed067|C:\Windows\System32\TwinUI.dll+f742e|C:\Windows\System32\TwinUI.dll+f73f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023641Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.406{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023640Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3D7C-5FCF-0000-0010020F0700}26964268C:\Windows\system32\csrss.exe{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023639Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3D7F-5FCF-0000-00104D7C0800}42921900C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\windows.storage.dll+1241fa|C:\Windows\System32\windows.storage.dll+123f5a|C:\Windows\System32\SHELL32.dll+77991|C:\Windows\System32\SHELL32.dll+767f6|C:\Windows\System32\SHELL32.dll+110821|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\windows.storage.dll+12f9e|C:\Windows\System32\windows.storage.dll+131a1|C:\Windows\System32\windows.storage.dll+12ddf|C:\Windows\System32\SHELL32.dll+1108a7|C:\Windows\System32\SHELL32.dll+7888e|C:\Windows\System32\SHELL32.dll+16ce0b 10341000x800000000000000023638Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023637Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023636Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023635Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023634Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.404{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{7E531255-3D7D-5FCF-0000-00202EEE0700}0x7ee2e2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000023633Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023632Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.391{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023631Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.375{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9c27|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9b25|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000023630Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.375{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a54|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9af1|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e 10341000x800000000000000023629Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.375{7E531255-3D7F-5FCF-0000-00104D7C0800}42925636C:\Windows\Explorer.EXE{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8fcc|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9ac5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+2d9c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+505af|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+4da86|C:\Windows\System32\combase.dll+4d1ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+74e0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7c5e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c40e|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000023628Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.375{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023627Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.375{7E531255-3C72-5FCF-0000-0010EF650000}6086324C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023626Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023625Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023624Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023623Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+1a642|C:\Windows\system32\windows.cortana.onecore.dll+16b12|C:\Windows\system32\windows.cortana.onecore.dll+16a5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023622Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366184C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023621Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24361128C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.onecore.dll+1a5a3|C:\Windows\system32\windows.cortana.onecore.dll+6118|C:\Windows\system32\windows.cortana.onecore.dll+169b1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce 10341000x800000000000000023620Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41838|C:\Windows\system32\windows.cortana.Desktop.dll+26127|C:\Windows\system32\windows.cortana.Desktop.dll+2151b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023619Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:56.156{7E531255-3D7E-5FCF-0000-0010533A0800}24366124C:\Windows\System32\RuntimeBroker.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\system32\windows.cortana.Desktop.dll+41792|C:\Windows\system32\windows.cortana.Desktop.dll+41550|C:\Windows\system32\windows.cortana.Desktop.dll+9248|C:\Windows\system32\windows.cortana.Desktop.dll+214b1|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+364fa|C:\Windows\System32\combase.dll+2d1ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22df|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d 10341000x800000000000000023702Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023701Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023700Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023699Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023698Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023697Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023696Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023695Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023694Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023693Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023692Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023691Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023690Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023689Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023688Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023687Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023686Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023685Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023684Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023683Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023682Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023681Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023680Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023679Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:58.406{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000023703Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:35:59.766{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2020-12-08 10:35:59.766 10341000x800000000000000023707Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:00.625{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023706Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:00.625{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023705Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:00.625{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023704Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:00.625{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023716Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023715Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023714Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023713Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023712Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023711Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.859{7E531255-3D7E-5FCF-0000-0010CB420800}49962948C:\Windows\system32\sihost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+1a0fc|C:\Windows\System32\modernexecserver.dll+1a09f|C:\Windows\System32\modernexecserver.dll+198f6|C:\Windows\System32\modernexecserver.dll+2c9d4|C:\Windows\System32\modernexecserver.dll+35efd|C:\Windows\System32\modernexecserver.dll+4d3a1|C:\Windows\System32\modernexecserver.dll+4d2bf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023710Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.687{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023709Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.687{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023708Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:01.687{7E531255-3C72-5FCF-0000-0010EF650000}6086868C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000023724Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571A-5FCF-0000-00101F6E3500}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023723Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023722Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023721Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023720Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023719Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-571A-5FCF-0000-00101F6E3500}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023718Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571A-5FCF-0000-00101F6E3500}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023717Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:10.375{7E531255-571A-5FCF-0000-00101F6E3500}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023733Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.687{7E531255-571B-5FCF-0000-001030703500}41843136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023732Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571B-5FCF-0000-001030703500}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023731Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023730Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023729Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023728Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023727Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-571B-5FCF-0000-001030703500}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023726Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571B-5FCF-0000-001030703500}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023725Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:11.547{7E531255-571B-5FCF-0000-001030703500}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000023742Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.656{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\test.ps12020-12-08 10:36:12.656 10341000x800000000000000023741Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571C-5FCF-0000-0010C3713500}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023740Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023739Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023738Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023737Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023736Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-571C-5FCF-0000-0010C3713500}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023735Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.218{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571C-5FCF-0000-0010C3713500}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023734Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:12.219{7E531255-571C-5FCF-0000-0010C3713500}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023751Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.468{7E531255-571E-5FCF-0000-00109B753500}8647084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023750Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571E-5FCF-0000-00109B753500}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023749Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023748Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023747Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023746Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023745Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-571E-5FCF-0000-00109B753500}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023744Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571E-5FCF-0000-00109B753500}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023743Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:14.328{7E531255-571E-5FCF-0000-00109B753500}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023769Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.687{7E531255-571F-5FCF-0000-0010BC793500}71085156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023768Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571F-5FCF-0000-0010BC793500}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023767Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023766Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023765Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023764Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023763Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-571F-5FCF-0000-0010BC793500}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023762Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.546{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571F-5FCF-0000-0010BC793500}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023761Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.549{7E531255-571F-5FCF-0000-0010BC793500}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023760Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.140{7E531255-571F-5FCF-0000-0010C6773500}21001380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023759Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-571F-5FCF-0000-0010C6773500}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023758Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023757Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023756Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023755Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023754Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-571F-5FCF-0000-0010C6773500}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023753Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-571F-5FCF-0000-0010C6773500}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023752Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:15.000{7E531255-571F-5FCF-0000-0010C6773500}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023777Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5720-5FCF-0000-0010A97B3500}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023776Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023775Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023774Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023773Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023772Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-5720-5FCF-0000-0010A97B3500}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023771Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.421{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5720-5FCF-0000-0010A97B3500}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023770Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:16.422{7E531255-5720-5FCF-0000-0010A97B3500}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023784Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023783Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023782Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023781Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023780Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023779Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023778Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:43.030{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023787Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:56.701{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C72-5FCF-0000-001066F10000}1592C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023786Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:56.701{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C72-5FCF-0000-001066F10000}1592C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023785Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:56.701{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C72-5FCF-0000-001066F10000}1592C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023788Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:36:58.358{7E531255-3C70-5FCF-0000-001030540000}868940C:\Windows\system32\lsass.exe{7E531255-3C6F-5FCF-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000023796Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5756-5FCF-0000-0010069C3500}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023795Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023794Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023793Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023792Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023791Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5756-5FCF-0000-0010069C3500}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023790Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.373{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5756-5FCF-0000-0010069C3500}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023789Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:10.374{7E531255-5756-5FCF-0000-0010069C3500}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023805Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.701{7E531255-5757-5FCF-0000-0010CB9D3500}51926684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023804Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5757-5FCF-0000-0010CB9D3500}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023803Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023802Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023801Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023800Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023799Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5757-5FCF-0000-0010CB9D3500}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023798Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.560{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5757-5FCF-0000-0010CB9D3500}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023797Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:11.561{7E531255-5757-5FCF-0000-0010CB9D3500}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023813Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5758-5FCF-0000-0010789F3500}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023812Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023811Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023810Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023809Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023808Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5758-5FCF-0000-0010789F3500}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023807Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.201{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5758-5FCF-0000-0010789F3500}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023806Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:12.202{7E531255-5758-5FCF-0000-0010789F3500}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023822Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.482{7E531255-575A-5FCF-0000-001073A13500}64442036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023821Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-575A-5FCF-0000-001073A13500}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023820Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023819Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023818Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023817Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023816Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-575A-5FCF-0000-001073A13500}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023815Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-575A-5FCF-0000-001073A13500}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023814Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:14.342{7E531255-575A-5FCF-0000-001073A13500}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023840Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.826{7E531255-575B-5FCF-0000-0010C6A43500}37324360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023839Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-575B-5FCF-0000-0010C6A43500}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023838Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023837Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023836Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023835Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023834Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-575B-5FCF-0000-0010C6A43500}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023833Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.685{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-575B-5FCF-0000-0010C6A43500}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023832Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.686{7E531255-575B-5FCF-0000-0010C6A43500}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023831Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.154{7E531255-575B-5FCF-0000-001020A33500}29086220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023830Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-575B-5FCF-0000-001020A33500}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023829Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023828Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023827Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023826Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023825Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-575B-5FCF-0000-001020A33500}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023824Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.013{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-575B-5FCF-0000-001020A33500}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023823Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:15.014{7E531255-575B-5FCF-0000-001020A33500}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023848Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-575C-5FCF-0000-00100BA73500}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023847Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023846Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023845Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023844Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023843Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-575C-5FCF-0000-00100BA73500}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023842Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-575C-5FCF-0000-00100BA73500}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023841Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:16.420{7E531255-575C-5FCF-0000-00100BA73500}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000023858Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000023857Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006945a5) 13241300x800000000000000023856Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cd45-0xb7d13f6c) 13241300x800000000000000023855Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cd4e-0x1995a76c) 13241300x800000000000000023854Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cd56-0x7b5a0f6c) 13241300x800000000000000023853Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000023852Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006945a5) 13241300x800000000000000023851Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cd45-0xb7d13f6c) 13241300x800000000000000023850Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cd4e-0x1995a76c) 13241300x800000000000000023849Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:17.888{7E531255-3C70-5FCF-0000-001030540000}868C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cd56-0x7b5a0f6c) 13241300x800000000000000023859Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:37:22.529{7E531255-3C72-5FCF-0000-00105DC40000}1220C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd4e-0x1c9e6565) 10341000x800000000000000023865Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023864Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023863Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023862Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023861Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023860Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:35.763{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023866Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:37:59.231{7E531255-3C72-5FCF-0000-001000AA0000}9962668C:\Windows\system32\svchost.exe{7E531255-3C72-5FCF-0000-0010E9B90000}1160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023899Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023898Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023897Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023896Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023895Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023894Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023893Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023892Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023891Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023890Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023889Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023888Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023887Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023886Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023885Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023884Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023883Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023882Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023881Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023880Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023879Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023878Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023877Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023876Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023875Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023874Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023873Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023872Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023871Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023870Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023869Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023868Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023867Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:00.246{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023907Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5792-5FCF-0000-0010E5D73500}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023906Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023905Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023904Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023903Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023902Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-5792-5FCF-0000-0010E5D73500}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023901Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.371{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5792-5FCF-0000-0010E5D73500}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023900Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:10.372{7E531255-5792-5FCF-0000-0010E5D73500}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023915Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5793-5FCF-0000-0010A8D93500}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023914Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023913Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023912Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023911Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023910Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-5793-5FCF-0000-0010A8D93500}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023909Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.574{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5793-5FCF-0000-0010A8D93500}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023908Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:11.575{7E531255-5793-5FCF-0000-0010A8D93500}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023924Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.386{7E531255-5794-5FCF-0000-001066DB3500}41767124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023923Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5794-5FCF-0000-001066DB3500}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023922Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023921Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023920Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023919Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023918Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5794-5FCF-0000-001066DB3500}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023917Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5794-5FCF-0000-001066DB3500}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023916Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:12.246{7E531255-5794-5FCF-0000-001066DB3500}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000023927Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:38:13.199{7E531255-3C82-5FCF-0000-0010C1C10200}3160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 13241300x800000000000000023926Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:38:13.199{7E531255-3C82-5FCF-0000-0010C1C10200}3160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3A46648B-6C58-4CA9-9DAD-2BA2AF55AD22\Config SourceDWORD (0x00000001) 13241300x800000000000000023925Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:38:13.199{7E531255-3C82-5FCF-0000-0010C1C10200}3160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3A46648B-6C58-4CA9-9DAD-2BA2AF55AD22\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3A46648B-6C58-4CA9-9DAD-2BA2AF55AD22.XML 10341000x800000000000000023936Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.496{7E531255-5796-5FCF-0000-0010C7DF3500}62286468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023935Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5796-5FCF-0000-0010C7DF3500}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023934Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023933Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023932Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023931Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023930Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-5796-5FCF-0000-0010C7DF3500}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023929Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.355{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5796-5FCF-0000-0010C7DF3500}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023928Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:14.356{7E531255-5796-5FCF-0000-0010C7DF3500}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023954Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.761{7E531255-5797-5FCF-0000-0010D3E43500}10801860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023953Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5797-5FCF-0000-0010D3E43500}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023952Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023951Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023950Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023949Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023948Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-5797-5FCF-0000-0010D3E43500}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023947Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.621{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5797-5FCF-0000-0010D3E43500}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023946Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.622{7E531255-5797-5FCF-0000-0010D3E43500}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023945Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.168{7E531255-5797-5FCF-0000-00100EE33500}35006000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023944Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5797-5FCF-0000-00100EE33500}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023943Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023942Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023941Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023940Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023939Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5797-5FCF-0000-00100EE33500}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023938Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.027{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5797-5FCF-0000-00100EE33500}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023937Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:15.028{7E531255-5797-5FCF-0000-00100EE33500}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023962Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5798-5FCF-0000-0010B1E63500}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023961Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023960Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023959Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023958Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023957Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-5798-5FCF-0000-0010B1E63500}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023956Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5798-5FCF-0000-0010B1E63500}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023955Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:16.418{7E531255-5798-5FCF-0000-0010B1E63500}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023966Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:19.620{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023965Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:19.620{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023964Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:19.605{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023963Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:19.605{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-0010FDBD0200}2484C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023975Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.980{7E531255-579C-5FCF-0000-00101BF33500}36923344C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\shell32.dll+d001a|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023974Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.980{7E531255-579C-5FCF-0000-00101BF33500}36923344C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023973Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.980{7E531255-579C-5FCF-0000-00101BF33500}36923344C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023972Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023971Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023970Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023969Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3D7C-5FCF-0000-0010020F0700}26962676C:\Windows\system32\csrss.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023968Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023967Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:20.964{7E531255-3C72-5FCF-0000-0010EF650000}6083140C:\Windows\system32\svchost.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023987Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023986Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023985Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023984Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023983Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023982Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023981Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.042{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023980Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.011{7E531255-3D7E-5FCF-0000-001039470800}32722620C:\Windows\system32\taskhostw.exe{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023979Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.011{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023978Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.011{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023977Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.011{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023976Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:21.011{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-579C-5FCF-0000-00101BF33500}3692C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000023988Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.localSetValue2020-12-08 10:38:23.511{7E531255-3C72-5FCF-0000-00105DC40000}1220C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cd4e-0x40f787f2) 10341000x800000000000000023998Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023997Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023996Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-579C-5FCF-0000-00101BF33500}36926696C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43c6e|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023995Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-579C-5FCF-0000-00101BF33500}36926696C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43bd8|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023994Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023993Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-579C-5FCF-0000-00101BF33500}36926696C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023992Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-579C-5FCF-0000-00101BF33500}36926696C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023991Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023990Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023989Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:25.423{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023999Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:26.360{7E531255-3D7E-5FCF-0000-001039470800}32722620C:\Windows\system32\taskhostw.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024020Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024019Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024018Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024017Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024016Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024015Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+2fd1a|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024014Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.516{7E531255-3D7F-5FCF-0000-00104D7C0800}42925088C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+3007c|C:\Windows\Explorer.EXE+30028|C:\Windows\Explorer.EXE+2fccc|C:\Windows\Explorer.EXE+2ff29|C:\Windows\Explorer.EXE+2fc59|C:\Windows\Explorer.EXE+3ab97|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024013Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.485{7E531255-3D7E-5FCF-0000-001039470800}32722620C:\Windows\system32\taskhostw.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024012Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.485{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024011Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.485{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024010Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.485{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024009Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.485{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024008Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.469{7E531255-57AB-5FCF-0000-001093243600}53846240C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6437|C:\Windows\System32\shcore.dll+6327|C:\Windows\System32\shcore.dll+629d|C:\Windows\System32\shcore.dll+61aa|C:\Windows\System32\shell32.dll+d001a|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024007Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.469{7E531255-57AB-5FCF-0000-001093243600}53846240C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024006Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.469{7E531255-57AB-5FCF-0000-001093243600}53846240C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+d0008|C:\Windows\System32\shell32.dll+ef204|C:\Windows\System32\shell32.dll+ef71f|C:\Windows\System32\shell32.dll+ef90d|C:\Windows\System32\shell32.dll+10b0b9|C:\Windows\System32\shell32.dll+317068|C:\Windows\System32\shell32.dll+316e0a|C:\Windows\System32\shell32.dll+3d055|C:\Windows\System32\shell32.dll+3c827|C:\Windows\System32\shell32.dll+3c0f9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024005Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.454{7E531255-3C72-5FCF-0000-0010E9B90000}11601248C:\Windows\system32\svchost.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024004Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.454{7E531255-3C72-5FCF-0000-0010E9B90000}11601644C:\Windows\system32\svchost.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024003Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.454{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024002Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.454{7E531255-3D7C-5FCF-0000-0010020F0700}26964268C:\Windows\system32\csrss.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024001Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.438{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024000Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:35.438{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-57AB-5FCF-0000-001093243600}5384C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024024Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:38.891{7E531255-57AB-5FCF-0000-001093243600}53846092C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43c6e|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024023Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:38.891{7E531255-57AB-5FCF-0000-001093243600}53846092C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+124a5|C:\Windows\System32\shell32.dll+43bd8|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024022Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:38.891{7E531255-57AB-5FCF-0000-001093243600}53846092C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+6422|C:\Windows\System32\shcore.dll+611d|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024021Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:38.891{7E531255-57AB-5FCF-0000-001093243600}53846092C:\Windows\system32\DllHost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+6468|C:\Windows\System32\shcore.dll+60f4|C:\Windows\System32\shcore.dll+5ddd|C:\Windows\System32\shcore.dll+5d6f|C:\Windows\System32\shcore.dll+5c74|C:\Windows\System32\shell32.dll+43bba|C:\Windows\System32\shell32.dll+eef32|C:\Windows\System32\shell32.dll+3c129e|C:\Windows\System32\shcore.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024030Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024029Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42926304C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-00106B363500}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024028Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024027Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024026Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024025Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:38:49.688{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-570C-5FCF-0000-001051373500}208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024038Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57CE-5FCF-0000-001026403600}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024037Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024036Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024035Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024034Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024033Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-57CE-5FCF-0000-001026403600}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024032Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57CE-5FCF-0000-001026403600}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024031Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:10.375{7E531255-57CE-5FCF-0000-001026403600}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024046Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57CF-5FCF-0000-0010EF413600}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024045Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024044Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024043Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024042Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024041Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-57CF-5FCF-0000-0010EF413600}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024040Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.578{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57CF-5FCF-0000-0010EF413600}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024039Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:11.579{7E531255-57CF-5FCF-0000-0010EF413600}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024055Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.406{7E531255-57D0-5FCF-0000-001095433600}6645564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024054Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57D0-5FCF-0000-001095433600}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024053Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024052Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024051Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024050Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024049Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-57D0-5FCF-0000-001095433600}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024048Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.250{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57D0-5FCF-0000-001095433600}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024047Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:12.251{7E531255-57D0-5FCF-0000-001095433600}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024064Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.515{7E531255-57D2-5FCF-0000-0010A1453600}53762448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024063Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57D2-5FCF-0000-0010A1453600}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024062Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024061Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024060Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024059Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024058Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-57D2-5FCF-0000-0010A1453600}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024057Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57D2-5FCF-0000-0010A1453600}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024056Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:14.375{7E531255-57D2-5FCF-0000-0010A1453600}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024082Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.875{7E531255-57D3-5FCF-0000-0010F0483600}51244400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024081Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57D3-5FCF-0000-0010F0483600}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024080Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024079Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024078Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024077Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024076Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-57D3-5FCF-0000-0010F0483600}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024075Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.718{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57D3-5FCF-0000-0010F0483600}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024074Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.719{7E531255-57D3-5FCF-0000-0010F0483600}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024073Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.187{7E531255-57D3-5FCF-0000-00102B473600}20565756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024072Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57D3-5FCF-0000-00102B473600}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024071Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024070Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024069Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024068Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024067Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-57D3-5FCF-0000-00102B473600}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024066Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.046{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57D3-5FCF-0000-00102B473600}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024065Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:15.047{7E531255-57D3-5FCF-0000-00102B473600}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024090Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-57D4-5FCF-0000-0010254B3600}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024089Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024088Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024087Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024086Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024085Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-57D4-5FCF-0000-0010254B3600}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024084Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.421{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-57D4-5FCF-0000-0010254B3600}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024083Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:16.422{7E531255-57D4-5FCF-0000-0010254B3600}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024097Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925288C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+52065|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024096Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925288C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+51f7e|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024095Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925288C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024094Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024093Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024092Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024091Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:37.077{7E531255-3D7F-5FCF-0000-00104D7C0800}42925668C:\Windows\Explorer.EXE{7E531255-3DA7-5FCF-0000-0010755C0D00}6548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000024098Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:39:48.452{7E531255-3DA7-5FCF-0000-0010CF5A0D00}6540C:\Windows\System32\cmd.exeC:\$Recycle.Bin\test.ps12020-12-08 10:39:48.436 10341000x800000000000000024125Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024124Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024123Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024122Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024121Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024120Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024119Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024118Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024117Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024116Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024115Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024114Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024113Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024112Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024111Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024110Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D7F-5FCF-0000-00104D7C0800}4292C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024109Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024108Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024107Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D92-5FCF-0000-0010BF8D0B00}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024106Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024105Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024104Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024103Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024102Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024101Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024100Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024099Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:04.733{7E531255-3C72-5FCF-0000-001000AA0000}996648C:\Windows\system32\svchost.exe{7E531255-3D91-5FCF-0000-0010497F0B00}5784C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024133Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580A-5FCF-0000-00109F5A3600}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024132Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024131Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024130Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024129Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024128Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-580A-5FCF-0000-00109F5A3600}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024127Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.373{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580A-5FCF-0000-00109F5A3600}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024126Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:10.374{7E531255-580A-5FCF-0000-00109F5A3600}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024142Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.717{7E531255-580B-5FCF-0000-0010885C3600}31845892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024141Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580B-5FCF-0000-0010885C3600}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024140Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024139Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024138Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024137Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024136Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-580B-5FCF-0000-0010885C3600}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024135Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.576{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580B-5FCF-0000-0010885C3600}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024134Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:11.577{7E531255-580B-5FCF-0000-0010885C3600}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024150Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580C-5FCF-0000-00101D5E3600}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024149Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024148Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024147Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024146Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024145Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-580C-5FCF-0000-00101D5E3600}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024144Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.248{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580C-5FCF-0000-00101D5E3600}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024143Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:12.249{7E531255-580C-5FCF-0000-00101D5E3600}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024159Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.514{7E531255-580E-5FCF-0000-001012603600}50806204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024158Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580E-5FCF-0000-001012603600}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024157Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024156Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024155Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024154Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024153Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3C6F-5FCF-0000-0010FC420000}6442428C:\Windows\system32\csrss.exe{7E531255-580E-5FCF-0000-001012603600}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024152Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.373{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580E-5FCF-0000-001012603600}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024151Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:14.374{7E531255-580E-5FCF-0000-001012603600}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024177Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.732{7E531255-580F-5FCF-0000-0010EB633600}20724892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024176Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580F-5FCF-0000-0010EB633600}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024175Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024174Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024173Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024172Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024171Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3C6F-5FCF-0000-0010FC420000}644660C:\Windows\system32\csrss.exe{7E531255-580F-5FCF-0000-0010EB633600}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024170Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580F-5FCF-0000-0010EB633600}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024169Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.592{7E531255-580F-5FCF-0000-0010EB633600}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024168Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.185{7E531255-580F-5FCF-0000-001034623600}60641360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024167Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-580F-5FCF-0000-001034623600}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024166Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024165Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024164Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024163Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024162Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3C6F-5FCF-0000-0010FC420000}644792C:\Windows\system32\csrss.exe{7E531255-580F-5FCF-0000-001034623600}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024161Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-580F-5FCF-0000-001034623600}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024160Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:15.045{7E531255-580F-5FCF-0000-001034623600}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024185Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3D0E-5FCF-0000-0010715C0600}29642712C:\Windows\system32\conhost.exe{7E531255-5810-5FCF-0000-00107F653600}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024184Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024183Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024182Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024181Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3C72-5FCF-0000-0010EF650000}6082868C:\Windows\system32\svchost.exe{7E531255-3C82-5FCF-0000-001013BE0200}2176C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024180Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3C6F-5FCF-0000-0010FC420000}6441168C:\Windows\system32\csrss.exe{7E531255-5810-5FCF-0000-00107F653600}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024179Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-3D0D-5FCF-0000-001089570600}34123856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E531255-5810-5FCF-0000-00107F653600}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024178Microsoft-Windows-Sysmon/Operationalwin-dc-431.attackrange.local2020-12-08 10:40:16.420{7E531255-5810-5FCF-0000-00107F653600}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E531255-3C70-5FCF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E531255-3D0D-5FCF-0000-001089570600}3412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service