23542300x80000000000000002268294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:53.773{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD00F345D0E1B9FF04CDA362D680683B,SHA256=3D0D7C38C6113CD3B49814E3E05AD98DCEE54BDDE8DADFC7BAD464E5228BA5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:54.785{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A17C0EC9476F9D1077AC24B2F59118,SHA256=117C395D6F6D7514B66995100EFD0450164D0CE5897843604C837B04234EB2DE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002268297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:58:53.992{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002268296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:58:53.992{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002268295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:58:53.992{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 23542300x80000000000000002268304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:55.801{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04858DB81F9A3310D9386D815D7E67A,SHA256=2CA7EB013A7B8F8BA9D401863ACEC6986577F976CCFCE21A94DA6C8E7D06E284,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:51.762{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49759-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002268302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:51.762{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49759-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002268301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:51.756{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49758-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002268300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:51.756{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49758-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002268299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:55.035{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3434AD7B666A4C04D251C22FBAE5108,SHA256=9D137801C2827ADECE7D71F86659F6BA7A13AE8442EC8D6B6F867A6E82FBED3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:56.804{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD410C1623465B8048233A22BAA54086,SHA256=0A7342C381DA68C7FD04B82CD6B52248C7F78427F5423D21E3D0EDABE7DC0206,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:52.010{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49760-false10.0.1.12-8000- 23542300x80000000000000002268307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:57.804{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019A5D285E9661D59A1598BB948F89DD,SHA256=F94BD0A84F0C221EB7876A3B7BC21AA9A8F62BFB6E6996247D8408FF13F2FCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.819{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251ACF8A6AE9A79842C8497F6D4613B2,SHA256=A0EFBD33BB066F2819528B16153C47FD7A2D3AA4F25E61850D051FD600DF4AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.648{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A39103516844A44BF530AA09FD7AA9,SHA256=0B6190D5BB95F82F2DA2305BC7CC4005BAB1EF78286A9BE3F147051A89265821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2DF2-6041-8E56-00000000AD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2DF2-6041-8E56-00000000AD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2DF2-6041-8E56-00000000AD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:58.476{5ABCFE62-2DF2-6041-8E56-00000000AD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002268351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2DF3-6041-9056-00000000AD01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2DF3-6041-9056-00000000AD01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2DF3-6041-9056-00000000AD01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.773{5ABCFE62-2DF3-6041-9056-00000000AD01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002268338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:55.416{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local49761-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002268337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:55.416{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local49761-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 10341000x80000000000000002268336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.226{5ABCFE62-2DF3-6041-8F56-00000000AD01}24402204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2DF3-6041-8F56-00000000AD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2DF3-6041-8F56-00000000AD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.101{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2DF3-6041-8F56-00000000AD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.102{5ABCFE62-2DF3-6041-8F56-00000000AD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002268353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:00.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D20CE63FF1A5FB12216B3C475F5ECDA,SHA256=5A23C69B701832A502A363BBB9CCBAEF57B0A62BDE9F9C0C3C0FD3EE5163F1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:00.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD2DA8508E955B04189A31CA051007FD,SHA256=9F7F5EA1F6424A5AF383608FCE46B9086F7220B75C54B4E6C9B246CF56E79439,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:57.853{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49762-false10.0.1.12-8000- 23542300x80000000000000002268354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:01.413{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0AA9D59FF0A31B128E25FC933275ED,SHA256=5209CEBEAA7A83DEC14308195E6B16434D4F80FBA9BCEBB0E7A0E8E6A3BC9F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:02.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5886B8020D9AB51CB956FA88264456A,SHA256=F7BB8C35B433574731395927CB5646D5C68507EF5BA5A78BB7CA7C5C636DCA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:02.429{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089C1A23C5ADFDF75BD9AE62CC02A6FF,SHA256=988E71D5A8F388776A4EFFDF8AE638275C4C07B9460321906967FAB8FBC5AF75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:58:59.400{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63761- 23542300x80000000000000002268359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:03.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B007BBDC8A036409CB94BA94D9E1008D,SHA256=07576D103192078F18CEDFAC61551980EA3AC8FA20B61BBB87E1A9B8513FEC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:03.585{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CA22F6A74D5722BD87A46C9F4625D5,SHA256=5E163720993288982C2A0044C060B1111448A066C9EA6A47CC296A75D2ADD9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:00.415{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63761- 23542300x80000000000000002268361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:04.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCC7E74AA7326725693A36DA04138DB,SHA256=A8BF53CE5A3EE96ECE5BDA40D1ECC317F5AF54A2C47817211656F70654B0C69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:05.773{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A40FA2ABAFB59E648AF4355EF3B7D3,SHA256=4ADDB508F193C8A6E9F06ED3806F4F7AA16CAEA79A07D100D40FE7BFC936C023,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:02.900{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49763-false10.0.1.12-8000- 23542300x80000000000000002268365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:06.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7782597A5626813A35A357301BCAF2,SHA256=1AAA828902A17F0E759572F66487B8765F40796BABD2B32414B7C1D76C9B0719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:06.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131FDC64542125564D3DCD212CA4DF89,SHA256=7EC7111E09619709D1BBEE4BF59D0C5CF2FDDBF0A54F8F869FF8A87F8C24BDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:07.804{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D100F4FFF23D5D0DC2309EE9B7E29837,SHA256=B7FD2E9648A9B7F65E4A976DFC8F68E6339DD3C10DD23304EA7F90F479A98F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18236EF6F64823FE89CC0F577F5AE15,SHA256=5AF2F23341E84290A6243DBDD4AA8E45F2C090DEC438F95335D4C142D33B4CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:09.851{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C190454E847957DFEA1FA9D9C9EF4C4,SHA256=8974A7D18EC8E3B28171B55570744681C49B8618DE10C138E19060AB2968CECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.851{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D8C824D2624011E1B24F5C99B86162,SHA256=E26B9A1133BD16D4A80907D22D1C252C21F350394F237CCB59DA0E9931317BA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.835{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002268385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.679{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB5A74452BC672FFA37E1EE524497A36,SHA256=B86BC5045610B2316E8B7CF4435121E73B9FA2D93BD7FF228BFE3AD9BE11E377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:11.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6B880F4E2DDCC171A140AD58A862E9,SHA256=B6726D0B887494710247DCBBDDFDEA344E603C4562C70D30DEB8F42102CE8584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:11.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B842BA8517FD6A34465B19DE4ED9CBC5,SHA256=D7CF1B9DB517ABCFAD70EF2D75611EF18D0658C7482A45A071FCB685CDBD7C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:11.507{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:12.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46C8BBE73245F66A96547F241FAB1A2,SHA256=399BCEE1FC5CD82611F5EE97002610937CCE2EE1B877A5E03CBEEB3946C85B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.488{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local49766-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002268397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.488{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49766-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002268396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.482{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49765-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002268395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.482{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49765-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002268394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:07.931{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49764-false10.0.1.12-8000- 23542300x80000000000000002268436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88D7DFD1D02D31C6C4119A510E2BEDA,SHA256=07A9BB2C14F9501B344B6FDC443746BE6B5FFF99DD63475F7FB051684D055E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.695{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97980303B02FC1D3AC2D4239B4DE4F98,SHA256=23EB1343954D22D6CD9FC6297F7B3E7A11FF21802A69F87C266FADB87467EEAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:13.585{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002268403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:09.415{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59497- 354300x80000000000000002268402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:09.244{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49768-false10.0.1.12-8089- 354300x80000000000000002268401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.590{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49767-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002268400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:08.590{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49767-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 10341000x80000000000000002268464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.976{5ABCFE62-2E02-6041-9256-00000000AD01}5888388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E02-6041-9256-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E02-6041-9256-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E02-6041-9256-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.851{5ABCFE62-2E02-6041-9256-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002268450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E02-6041-9156-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E02-6041-9156-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.179{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E02-6041-9156-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:14.180{5ABCFE62-2E02-6041-9156-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002268437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:10.430{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59497- 23542300x80000000000000002268481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.991{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDE7B2C02E789774A7146BB2D98634B,SHA256=C8DEBEFDD15744E46F625050A21A062DD527122971D1329B572B777A7E6D1D3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.648{5ABCFE62-2E03-6041-9356-00000000AD01}60804932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E03-6041-9356-00000000AD01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E03-6041-9356-00000000AD01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E03-6041-9356-00000000AD01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.523{5ABCFE62-2E03-6041-9356-00000000AD01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002268466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.195{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28508AB01D98CBF143EE9BAB0B5046C2,SHA256=436FCCAB6906A31AC91F1E7781A0B56083E4CB93160CC30AAA472B7D38E18429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:15.054{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DE5AB59321E27176EE585F8DBDAE7D,SHA256=7F4E9F95C4D2D60F9C9044E4035EF78E0B2E29737276D13A35B0A585DD27CC94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:12.962{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49769-false10.0.1.12-8000- 10341000x80000000000000002268496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.320{5ABCFE62-2E04-6041-9456-00000000AD01}40443396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.226{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68754695ADE6AAF5AEE1821D27280DA2,SHA256=32CDE5A0F5354C940F10C2C4F3A37AC53A4B55A6757992D39C83A7FACFFCB3BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E04-6041-9456-00000000AD01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E04-6041-9456-00000000AD01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E04-6041-9456-00000000AD01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:16.195{5ABCFE62-2E04-6041-9456-00000000AD01}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002268499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:17.320{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBD0C98615866023C1D92AEC14E58DEB,SHA256=B595E11DE540794895908B57175BCDAE370BBECA26137C7CA254957A8B110CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:17.023{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF338F5DC9E574B34DD19D8D52761D3,SHA256=65D389D66143C4773620FACFD711B7BC79D9A6634E514AA09A06EC8B8964EB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:18.023{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51432DAD55BF73C231B794506ABF0C95,SHA256=618ABA6B90EB7AAE762EBEAF23976274812B653D82A7E9D17C99672E3F6DD4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:19.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB53F2820D40A5C3A24D247F735D25CE,SHA256=6BCEB89AB41C4D3722330E7824CFB0739407E1B812320584A4B317DD940B1A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:20.726{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A5D6F156D31B74DC44FCA657B3CACB9,SHA256=F3BBD7A986EB169336D36D131CC03135405B7AE38DF7F20797FE6DEEDD585F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:20.054{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D147BEA502B104912A911EAA4F93ECE5,SHA256=5B0CF91ACA48919EBF5548BE1330E9BFD5FFE74FF92A4E6011988DD246B6E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:21.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21708E805558CE13356AB9D7B9371DF8,SHA256=B57423D6F50325AABC5A27BEF9EBDA52D43AF90870DCF6B4C58E7A697B5E9EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:22.820{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB6148F3C295A845A15E197802AB9139,SHA256=14B716FD2550F5DA94F38EBDF995EB0E052AEBBD2BE500AFFB01EBE5A0DE3FFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:18.009{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49770-false10.0.1.12-8000- 23542300x80000000000000002268505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:22.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7CEAECB613F43BAE7A86B362713CAA,SHA256=74FDFE5BD84228AA7BEC8EF09C4D542DC2ABD77EE1047C22F6BBD7C7936F0D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-2E0B-6041-9656-00000000AD01}6628368C:\Windows\system32\csrss.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-2E0B-6041-9756-00000000AD01}54766108C:\Windows\system32\winlogon.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.994{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa39fc855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e73SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000002268574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.976{5ABCFE62-842F-603E-0F00-00000000AD01}2966776C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.976{5ABCFE62-842F-603E-0F00-00000000AD01}2966776C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.976{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.976{5ABCFE62-842F-603E-0F00-00000000AD01}2966776C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.976{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.913{5ABCFE62-2E0B-6041-9656-00000000AD01}66284120C:\Windows\system32\csrss.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000002268564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x80000000000000002268561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Mouse0 13241300x80000000000000002268558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 13241300x80000000000000002268555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000002268554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000002268553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:23.867{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session3Keyboard0 10341000x80000000000000002268552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9656-00000000AD01}6628C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002268538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002268537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002268536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-2E0B-6041-9556-00000000AD01}52844900C:\Windows\System32\smss.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000002268535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.852{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e73SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5ABCFE62-2E0B-6041-9556-00000000AD01}5284C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000148 0000007c 10341000x80000000000000002268534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.851{5ABCFE62-8423-603E-0200-00000000AD01}3203576C:\Windows\System32\smss.exe{5ABCFE62-2E0B-6041-9656-00000000AD01}6628C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9656-00000000AD01}6628C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.835{5ABCFE62-2E0B-6041-9556-00000000AD01}52844900C:\Windows\System32\smss.exe{5ABCFE62-2E0B-6041-9656-00000000AD01}6628C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000002268522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.837{5ABCFE62-2E0B-6041-9656-00000000AD01}6628C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e73SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5ABCFE62-2E0B-6041-9556-00000000AD01}5284C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000148 0000007c 10341000x80000000000000002268521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-8423-603E-0200-00000000AD01}3203576C:\Windows\System32\smss.exe{5ABCFE62-2E0B-6041-9556-00000000AD01}5284C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6c14|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.820{5ABCFE62-8423-603E-0200-00000000AD01}3203576C:\Windows\System32\smss.exe{5ABCFE62-2E0B-6041-9556-00000000AD01}5284C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\SYSTEM32\ntdll.dll+8c58e|C:\Windows\SYSTEM32\ntdll.dll+8c339|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5182f 154100x80000000000000002268510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.823{5ABCFE62-2E0B-6041-9556-00000000AD01}5284C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000148 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e73SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5ABCFE62-8423-603E-0200-00000000AD01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x80000000000000002268509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.085{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9627700012D6D9B6E3D58E42C73721A,SHA256=BF71CC8B31F5F071BDB470C93EABB30AA85F621FEAFE2A35626A9F5A4FC294C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.038{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AF9982356A563665C99909718B6F3083,SHA256=C811AF83C853BEADACEFF4F80A9DA9813A507951F932B828F4C576A65D0AA2A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.898{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:24.882{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 17141700x80000000000000002268794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 18:59:24.882{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.882{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.851{5ABCFE62-99F1-603E-7907-00000000AD01}30804580C:\Windows\system32\csrss.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\winsrv.DLL+7de7|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.851{5ABCFE62-99F1-603E-7907-00000000AD01}30804580C:\Windows\system32\csrss.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5182f 13241300x80000000000000002268790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000002268787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000002268784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000002268783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000002268782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000002268781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000002268780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000002268779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.851{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 23542300x80000000000000002268778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.835{5ABCFE62-99F5-603E-8E07-00000000AD01}2576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=6F58E14809ACD6846381299CDE641024,SHA256=85E7E0F41EAD7FE300AE203CCD6222D3395F8494CF3C17D798A14493DE74BEE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.835{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.820{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.820{5ABCFE62-842F-603E-0F00-00000000AD01}2966776C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.820{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.757{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AED0C7B85430F9797A72043DC87746A,SHA256=2A192427FEC0839040A4CFD80CF606C23C5E6A82F61D0D0805EC44FFBAC09C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.742{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.729{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002268758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.726{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000002268743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000002268742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000002268741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-DeleteValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x80000000000000002268740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x80000000000000002268739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x80000000000000002268738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-DeleteValue2021-03-04 18:59:24.663{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x80000000000000002268737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.601{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F5C845314E4E90EEBFE11B0D102EC,SHA256=F078452B9654DF181F92F1AD0E5B20802F577CA64BBAEDB2C029D95D64ADAA40,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002268736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000002268735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000002268734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-DeleteValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x80000000000000002268733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000002268732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x80000000000000002268731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-DeleteValue2021-03-04 18:59:24.601{5ABCFE62-8423-603E-0100-00000000AD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 23542300x80000000000000002268730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.554{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC97E6E7DA20F9D24B035B36ADB3646A,SHA256=27F114EFDB75E3ADFE1EC182A35636C7E4F7902D80DA036A1154108FE4CE46A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.538{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.523{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.507{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.507{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.507{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.507{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.492{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-1000-00000000AD01}922188C:\Windows\System32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.476{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.460{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D8C3FABB8BF8EDC8D377B046F04EA4,SHA256=8CCF78777BDAE41CD994F73D0E8416D26E82C2F279C31B0944A5A9552FD1EF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842F-603E-1000-00000000AD01}925712C:\Windows\System32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.398{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000002268670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:24.366{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.366{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:24.351{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 18141800x80000000000000002268661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:24.320{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000002268658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:24.320{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 17141700x80000000000000002268657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 18:59:24.320{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-1000-00000000AD01}925448C:\Windows\System32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.320{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B367A135365C0A4C08F9E6F193EF059,SHA256=E374CDD41BED002357641FA00563CB05690E33DAB19626DB856A884CFA2AD777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=229D0995EED3A24C2CA599243D5E38EE,SHA256=F10E52B4E6A3D35A7F4AB9E47C6BF163099C7DE97ADE788DEF7B3FBEC2A004E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CFEC48C026ED0559511232E305FDE8,SHA256=B14931DFF905588BE9339B2FDE7F95A0A6E48E1A0B4959C958CBAD7ACDC0A0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002268631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=19D10D03EC2F6E1631703AAED2F4BFAB,SHA256=6ADE8EAE4F4130BB23B06245A564F7CB7620E68136BC173456BE67340D4E4714,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002268630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:19.789{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse174.27.137.81174-27-137-81.bois.qwest.net52120-false10.0.1.14win-dc-228.attackrange.local3389ms-wbt-server 10341000x80000000000000002268629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.070{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-2E0B-6041-9656-00000000AD01}6628368C:\Windows\system32\csrss.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-2E0B-6041-9756-00000000AD01}54766296C:\Windows\system32\winlogon.exe{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.035{5ABCFE62-2E0C-6041-9956-00000000AD01}2840C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-3{5ABCFE62-2E0B-6041-AB0F-440300000000}0x3440fab3SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000002268597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-842F-603E-1500-00000000AD01}11041444C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.023{5ABCFE62-2E0B-6041-9856-00000000AD01}980716C:\Windows\system32\LogonUI.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.007{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.007{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9856-00000000AD01}980C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.992{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.741{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8109E78DD6260811CBA2582CF238489,SHA256=24FAC40BCC73D972A1FEFCAFD84C4DB7174B42B5E0DA91DA169F5E987E5FBDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.523{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9EBF126806742988D0C4A64866872B43,SHA256=DBAB9992F562502079B435B332CAC30D6F5466C5A603DDD98A21A833DD15BF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.523{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3B95B6E86534871670D496078DB12A9C,SHA256=83932050A8A679E03D2AB85083D12936CB75400C616A8C636215757E70BFD493,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002269065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localT1122SetValue2021-03-04 18:59:25.226{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{DF0C5B26-A2D5-49A7-AFC5-9A09CCD20D7C}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x80000000000000002269064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localT1122SetValue2021-03-04 18:59:25.226{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exeHKCR\CLSID\{DF0C5B26-A2D5-49A7-AFC5-9A09CCD20D7C}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 23542300x80000000000000002269063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.226{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858C43DC779384FD3B46D1E9A53F46FF,SHA256=3CB5FC49720727043AE2614484F46873A036ED4C31885E55F57EA151DA1726B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0D-6041-9E56-00000000AD01}7064C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0D-6041-9E56-00000000AD01}7064C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0C-6041-9A56-00000000AD01}6764C:\Windows\system32\TSTheme.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a7914|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f3fd|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.195{5ABCFE62-842F-603E-0F00-00000000AD01}2966324C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.163{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0D-6041-9E56-00000000AD01}7064C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.148{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E0D-6041-9E56-00000000AD01}7064C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E0D-6041-9E56-00000000AD01}7064C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.148{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A171B1B2E9D57CAB85DFE62D08A60429,SHA256=D226EC4A1745FBC930C9E4089CE6B8DFAFD7487C40B43FBCC5534AD53691DC8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.148{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.132{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.132{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002268957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.117{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29992B41E2D19FB617B56139BAC2CE27,SHA256=388BF85011E2C393CD321EB6E3052A6E7080DBFDED8C6907EEA9F5019C34FC06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.101{5ABCFE62-842D-603E-0B00-00000000AD01}6326652C:\Windows\system32\lsass.exe{5ABCFE62-842D-603E-0A00-00000000AD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.070{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 23542300x80000000000000002268941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.070{5ABCFE62-99F5-603E-8E07-00000000AD01}2576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=6F58E14809ACD6846381299CDE641024,SHA256=85E7E0F41EAD7FE300AE203CCD6222D3395F8494CF3C17D798A14493DE74BEE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002268940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000002268935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.054{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.054{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-2E0D-6041-9C56-00000000AD01}2156C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-99F1-603E-7A07-00000000AD01}27361532C:\Windows\system32\winlogon.exe{5ABCFE62-2E0D-6041-9C56-00000000AD01}2156C:\Windows\system32\atbroker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+3b284|C:\Windows\system32\winlogon.exe+38b7a|C:\Windows\system32\winlogon.exe+44b92|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002268923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.041{5ABCFE62-2E0D-6041-9C56-00000000AD01}2156C:\Windows\System32\AtBroker.exe10.0.14393.0 (rs1_release.160715-1616)Windows Assistive Technology ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationATBroker.exeatbroker.exeC:\Windows\system32\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=8507D8A98EFA12F285A504DAEF14A0A5,SHA256=A84417EE9D039891AF43B267896DB921A40838D8A17CC1BE29785D031E5944D4,IMPHASH=9E9F046950193A8BA7AB446E4274C9D6{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000002268922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+527f8|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50ff4|C:\Windows\System32\RPCRT4.dll+24e40|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.038{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.038{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000002268916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.038{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.023{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-2E0D-6041-9B56-00000000AD01}6344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8526708C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-2E0B-6041-9756-00000000AD01}5476C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525460C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525460C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x80000000000000002268884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E0D-6041-9B56-00000000AD01}6344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002268858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}925448C:\Windows\System32\svchost.exe{5ABCFE62-2E0D-6041-9B56-00000000AD01}6344C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+549f2|c:\windows\system32\termsrv.dll+22ee6|c:\windows\system32\termsrv.dll+22763|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 154100x80000000000000002268857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.005{5ABCFE62-2E0D-6041-9B56-00000000AD01}6344C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x80000000000000002268856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002268855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 18141800x80000000000000002268854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000002268851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-ConnectPipe2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 17141700x80000000000000002268850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 18:59:25.007{5ABCFE62-842F-603E-1000-00000000AD01}92\TSVCPIPE-80fef115-04d4-4afe-a1f0-d30687c98bf5C:\Windows\System32\svchost.exe 10341000x80000000000000002268849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8522340C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:25.007{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}852304C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002268803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002268802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:24.991{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x80000000000000002269069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:26.429{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95676616F4CC4626441EB1F095DAF035,SHA256=8E1BE4D01FF9F6CD9BF9C3E2D81486EC9049D4DE2C43C1B3546B294286E1C3AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.617{5ABCFE62-99F4-603E-8307-00000000AD01}16243816C:\Windows\System32\rdpclip.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a09fe|C:\Windows\System32\SHELL32.dll+d2982|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.617{5ABCFE62-99F4-603E-8307-00000000AD01}16243816C:\Windows\System32\rdpclip.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a0968|C:\Windows\System32\SHELL32.dll+d2982|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.617{5ABCFE62-99F4-603E-8307-00000000AD01}16243816C:\Windows\System32\rdpclip.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a094a|C:\Windows\System32\SHELL32.dll+d2982|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.617{5ABCFE62-99F4-603E-8307-00000000AD01}16243816C:\Windows\System32\rdpclip.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a094a|C:\Windows\System32\SHELL32.dll+d2982|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.570{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255822BE166097883454F2374C703D49,SHA256=28CCF37C395661A0F58F6E756C0944E0CC5463DF069BEE6D44E145800C2D0F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.002{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9820:3fb3:1e2:ffff-61160-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000002269074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.002{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local61160-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000002269073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.002{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-228.attackrange.local137netbios-ns 354300x80000000000000002269072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.002{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-228.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000002269071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:22.999{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59951- 23542300x80000000000000002269070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:27.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E04D3162B3DF18BCBB095349010678AE,SHA256=7C8D9ACECD5C37868F397D10B307AA9D4FEE36D020AEB317AE1BBC1258324832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:28.570{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE71CFC90F1FB7ABDEC86E5EB38D400,SHA256=F339CF683509DB6E08D5E001A41BF4D7F70176476F56A85E6D59CF76B42C5150,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:23.775{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49771-false10.0.1.12-8000- 23542300x80000000000000002269083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:29.601{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D57245A5B7FEE41698149FEDD0F1C5,SHA256=2DFA580A6D6BAF6C23066F4C5BDCC7811A857C2DDB6957416A4B31F54D3D5899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:30.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11B1C9EFCC9DE71572814CD8326434C,SHA256=C8BD4BF3FAF6EEB46959B96EE9D0880820C79F2B314698C230DB2F80DD582807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:31.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A911DCA1D94747330E7E4258D4DB0B7C,SHA256=8B7711FB8D68ED202D533845AD72CA254B9725ED80DEC2B313659E008B5E1A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:31.429{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DBE6319794ED4C082A305FA2120D334,SHA256=31C422FB5EA40E519543FF40C4C4D717B91D79B22EB38A865BF2490DAA7133C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:32.867{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46664DC900C57F652A94E78245740C12,SHA256=5D15B6B42FEC9867E54D1D080F5773BD3E5F461ACE8558A9E65DEC2B3DE390C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:28.134{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local57351- 23542300x80000000000000002269091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:33.882{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B4F3D5B48263716B457EFCEE6E2271,SHA256=BC50F2DB8E0F2130924D7C5B417083B46F2DA1337B6AA5162350DB4613E1D2F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:29.149{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57351- 354300x80000000000000002269089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:28.775{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49772-false10.0.1.12-8000- 23542300x80000000000000002269092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:34.929{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57F846505BF1417D20314EAA69878B6,SHA256=1F6FA988DA28DF1BFCCEA7F92B30BD981DD148E0A49DD2D31281595BC529B708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:35.945{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CBD92F241FA675EE316A81968205B6,SHA256=B75E8DB4B3B842C9DB707FC6F3607C4DF558A7AD1D8F3253194CDA1D88B12F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:35.429{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A12E5CA3EB48B352AE02318BA3BADCA,SHA256=C91655235380D179F2214D612DC8254529BCD59E32A369D300FE252C8236B0D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:33.853{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49773-false10.0.1.12-8000- 23542300x80000000000000002269096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:37.117{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C6601B10BBB65F5F01B1AAB07376BBA,SHA256=D856BB101D61B07C34E65F39BC81F698B7A1AC10DBB777F9F1693806B44C8A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:37.007{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B743E54A6E6B405960C79D1821CADB4,SHA256=37134468B8D70EE622F25384EC3F683E586C0E3DBE2F687E10D1A1A44F67ABDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:38.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0054F02D4ECF9016A7B37DF788145C97,SHA256=06325448FF150012D1EB5F04CDAE3DA5990B9DD7BDE4CA392E22131091DF8320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:39.492{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80575676B7349C56C976C43A1218A410,SHA256=3E7C6F9141F06BAE42CCCDF19ED23FAF9F66DD6000DD08E845B6CD1A2929B71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:39.210{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C116F42E2C6D8839E58271FA7844B65,SHA256=0CBFA783EEBF4047316161C648B1A8660820F7FA93AEF6DCE0BE349F4EE3518C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:40.242{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BD32B6DB11DCE37A0181934764AA77,SHA256=912AA981D40B82DF4A9C53D138D7BCD0FEF07969888E47E8F2BF406069668D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:41.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BC6E6954F54149DDD27AC231EF0AC5,SHA256=346E35033944380952660C1C662AA3C741B5F1AE632A025F11C5FFFCACC39D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:38.884{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49775-false10.0.1.12-8000- 23542300x80000000000000002269104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:42.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E0C3750805D7ADDD68C6498B5EC5D6,SHA256=C3ED84EED5CA60C8CC8DE3364B19D0D0184CB5B96B9A4D1C373A0E764E3C81D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:42.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD1A1A907C0F1111EE98324EDFAA465,SHA256=1E3AF2C1BF1725968299572AADBFEEA7708DFFDB27146CDEE6A455C8AFBAA46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:43.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2037987B1D5C4B6F66C4E2957FCA80,SHA256=5CD004F1BFE6CCA93882F773B9B15A2A1450D2D3AE6B20DE135154B31E2EE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:44.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8367BD0B0E6A5FAE913EF0919312CA80,SHA256=DE8A7F66FA089320EBC93F405A03A18E54D9EAA636D53C2C176CDC78FD070B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:45.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33763DCCC229F671EAD9001506875B4D,SHA256=6B0DAF9ADBD8619982E4C784F6E505B42F10DD1D8F844DDA2C0FC23613BC3B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:46.320{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CE539DB4FFF14DBD5101943CA7CE79,SHA256=713A19150FEB3CBF8D5A10228E266FAD1494E01FDAA3CBC088EFA50A49A2EFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:43.931{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49776-false10.0.1.12-8000- 23542300x80000000000000002269111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:47.335{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE74927B400AF7BB90A61FC6B07B4DB6,SHA256=DF76040770D26042951EC74D224759FF61B8A0600A4BA66F7F4A9C55CD333648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:47.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F5667826C41F15C8868C5F8F353A8E1,SHA256=796F81157825578CEDBEC5EC4DC27F5112B757633A340B9BBED75CEE832B1675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:48.351{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096CAF79CC2A4AE19F16A4CCC5CF1819,SHA256=C7297141B70817D7C26F0F25B491B80F6016013907F0BB2549B31D471994F5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:49.367{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8218B2321225D1822D469A58A62A45A2,SHA256=899AE9774B7865E0A5107A12A05E69759D96A961DA6937FE825CF8729A715265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:50.367{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB110A054CED868195C7FF54F5DA3D0,SHA256=6C205068143EA939BF48DC91BCEC09FECC4741D45FB1FFFE8593653EC77E6045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:51.367{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05294E1C8E66F995F8C96EA3775D967,SHA256=E99B028113F50E29B2B479627C1678F0D4D5832349FCA47400B6DA8F28388284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:52.382{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7BB0CB4D7B6C4AA05937F8BC6065DE,SHA256=4A32AF9B631A8165B4E94832C5E577FF3DA363696EBD17459C7D950C88A327C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:52.320{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DEE2706C6C4AEFDA2F50FCCA105380,SHA256=3181B6D8A278128409726808F282E6610808F523DCF8C3662B54A7A52008B43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:52.320{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A5AA08099BB3D754D6F61F7E74733A4,SHA256=DF59D9B44118095D7845CE84DB898B6E3744A14F32CC057043C164322F9CD9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:53.398{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B185C23D94B60249EC77A08CE73903F7,SHA256=334D265C315B1458AEF6EBC7DFEFBA61E9BAA918011B3D719CFCE39EAAC9EC38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:48.978{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49777-false10.0.1.12-8000- 23542300x80000000000000002269267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.977{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A94B4FA1BE0EA951AB81DFAA67998,SHA256=335514CB48978C6EDD4A947AA28341CEC0E87F7AB4F089A7205E5AE4937F7D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.962{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.946{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.883{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 354300x80000000000000002269237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:50.899{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 23542300x80000000000000002269236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481B9BA992F9C71AC61D402B136675F1,SHA256=FD7786A28991C42F0C71D9FBE9B0F32EAF9790A08B4AA9E1871E7848A773609B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.805{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974 10341000x80000000000000002269221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x80000000000000002269220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x80000000000000002269219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.649{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000002269209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.618{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A3E825FC396FE0C5F876164626167,SHA256=0D1D465E69C26194030C8C05E95422463B85883AA01BB3CE4C3DA2918E62D1C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.602{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.587{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.587{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000002269195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.571{5ABCFE62-9A00-603E-9E07-00000000AD01}4168ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MWX0NO6P\microsoft.windows[1].xmlMD5=7064FCB7AE8B0989B07DF881EEDD774D,SHA256=153DF6A3EB1498A04BDD848475E2D952DFB4406335A4FCF64C683F98632AC3E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405408C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405408C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.555{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000002269184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EEB67E924D4F0C3E1F3339CF4962B1,SHA256=8E7393F009AA3C29E715C39C16E6764064E83A1F50832AE661CF52C016FB23FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-9A00-603E-9E07-00000000AD01}4168ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MWX0NO6P\microsoft.windows[1].xmlMD5=45440C7D1B98FF817F21254A7A93C34B,SHA256=C16DC5415043174C7A735D886DDE868A437421DAFC8C761754E08997BF6F4B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002269179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F4-603E-8407-00000000AD01}41405752C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002269178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F4-603E-8407-00000000AD01}41405408C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F4-603E-8407-00000000AD01}41405408C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x80000000000000002269176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F01F445566E0029065B2A575448FB7E,SHA256=A26BEAFFE90D821C3038E906B2FC3947A1F22F0F33B85ABAE149457DACB15DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DEE2706C6C4AEFDA2F50FCCA105380,SHA256=3181B6D8A278128409726808F282E6610808F523DCF8C3662B54A7A52008B43D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.540{5ABCFE62-99F5-603E-8E07-00000000AD01}25765168C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.524{5ABCFE62-99F5-603E-8E07-00000000AD01}25765168C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.524{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.524{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.117{5ABCFE62-842F-603E-0F00-00000000AD01}2966324C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.117{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.101{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.101{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.101{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-A056-00000000AD01}984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.085{5ABCFE62-842F-603E-0F00-00000000AD01}2966324C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.085{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.085{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.070{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.070{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.070{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2A-6041-9F56-00000000AD01}5900C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.054{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25765916C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25765916C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25765916C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.039{5ABCFE62-99F5-603E-8E07-00000000AD01}25762044C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0D00-00000000AD01}9123192C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-99F5-603E-8E07-00000000AD01}2576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x80000000000000002269122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.023{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x80000000000000002269373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.903{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BA536445B2499E6E598F5600CCB56A,SHA256=C4209D155257C024199CBCD95CDBA8A342C6C736494BA77ABD6EBAC9B452C4A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+170f46|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}56165740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.778{5ABCFE62-2E2B-6041-A156-00000000AD01}5616ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa682c52.TMPMD5=E498BFA0D32F619435DA9D8C71D7D0DF,SHA256=E1A98269E832ECD2B4E392B02AF00CD323221877A96FDF8F693ACD1AADC6A48A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.762{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.746{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.746{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25765916C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25765916C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25766368C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+109f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25766368C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+109f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25766368C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25766368C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25766368C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.731{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.699{5ABCFE62-842F-603E-0F00-00000000AD01}2964116C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.699{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.699{5ABCFE62-2E2B-6041-A256-00000000AD01}26765604C:\Windows\system32\conhost.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000002269343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-2E2B-6041-A256-00000000AD01}2676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25766724C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25766724C:\Windows\Explorer.EXE{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25766012C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.684{5ABCFE62-99F5-603E-8E07-00000000AD01}25762348C:\Windows\Explorer.EXE{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+ce5d7|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+17046f 154100x80000000000000002269330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.678{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000002269329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000002269326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000002269325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-99F5-603E-8E07-00000000AD01}25761476C:\Windows\Explorer.EXE{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.653{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.528{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF2667ABD366F3B05BBD3EEDA94B9BE,SHA256=598ECAAD1D35A92776660A2B93ED38405453FE430E8A3F4B9CCD7037671570DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.528{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CD40E04A0055FF875D4F257ACCF5BA,SHA256=BBC1CD88FBA158706D90889B0555826C31B146111A20B98E457409518E470C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.457{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.457{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.457{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.457{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.457{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.441{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.305{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.290{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.290{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000002269294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.196{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363C0FC70975BFD2512F4D78258C23B8,SHA256=618284F6850A7DFB3CD79872CD9864B5C403E721CF288B229439B3FA14E324E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.180{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.180{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.180{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.180{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.180{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.165{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002269279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404164C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41404308C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406496C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406924C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000002269269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.087{5ABCFE62-99F4-603E-8407-00000000AD01}41406424C:\Windows\System32\RuntimeBroker.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000002269382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.822{5ABCFE62-842D-603E-0B00-00000000AD01}6325124C:\Windows\system32\lsass.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.822{5ABCFE62-842D-603E-0B00-00000000AD01}6325124C:\Windows\system32\lsass.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002269380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 18:59:56.759{5ABCFE62-2E2B-6041-A156-00000000AD01}5616\PSHost.132593579956784706.5616.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002269379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.744{5ABCFE62-2E2B-6041-A156-00000000AD01}5616ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5mw0u2uz.1ns.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.744{5ABCFE62-2E2B-6041-A156-00000000AD01}5616ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_dwh3hlho.zoy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.681{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAE061847C5877585F7F9A1C108D2CD,SHA256=5DD3EC941E66C128B5194E8B655E4B58D1216AE178ED4982408B48BE67EE6ED0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002269376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.509{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_dwh3hlho.zoy.ps12021-03-04 18:59:56.509 10341000x80000000000000002269375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.494{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:56.121{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70E1739C47942303866D83485717007,SHA256=A4DB30E5DDE77225D1C3B62E1E238C4B2B2B5D40AB0C00C675E4DB9AEB4F2293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:57.681{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDDF666DEBDB465CDFB7C2F556EDB38,SHA256=E984139A2799A6F1E5A3F8583D99B89A90A2AFC9B53B557107E8A67A3AB70AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:57.525{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A107ECC9AFC42891C1304D93993F3372,SHA256=AD62D887012689459F41A2D068306F8E3811DE627A0A116B798DBCB7B73FEEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:57.244{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17F0D3341FF7EA6402F9EB736F4CA1B5,SHA256=BAE8946CF2E73B329CE23C7CD0F257F7961419DED937F2F28344313886911D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.840{5ABCFE62-2E2E-6041-A356-00000000AD01}21005988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.684{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCF23332010EFFBB36D2D9FD264FB61F,SHA256=B43F94BEC8BFD6D2678AFCBEC23CF1BBCE34C7B7A6D12D05C63EF67BED456282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.684{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF933363BF7CAABC1B7D282AC5B6AF5,SHA256=725637FEA16C3162B70DF3C64A81D23975CAE11926F25694A818399305B59CAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.637{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E2E-6041-A356-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E2E-6041-A356-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.622{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E2E-6041-A356-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:58.494{5ABCFE62-2E2E-6041-A356-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.872{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A5DC4B61CC26625F791C8F762B3B95,SHA256=41AB04E2C2CF71D7EDA347BC0778A225D2733D1973620BA4DE8610D7163CE560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.700{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C1A953EAF2E116CC65CF869D61600E,SHA256=CA2C903FFA85EC76A535942C3E71500F75FA4856694A448F34B7E743E2E478E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E2F-6041-A456-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E2F-6041-A456-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.497{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E2F-6041-A456-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.372{5ABCFE62-2E2F-6041-A456-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002269399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.417{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local49779-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:55.417{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local49779-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:54.808{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49778-false10.0.1.12-8000- 10341000x80000000000000002269425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.965{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.965{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.965{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002269422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.731{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101969AB36AF2A2E581272B2A0EA25AA,SHA256=9A4F0BA6DC81C6F37303B3407D2BE594D27F37BBC08250C6CAAD1B3BC7298299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E30-6041-A556-00000000AD01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E30-6041-A556-00000000AD01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.153{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E30-6041-A556-00000000AD01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.029{5ABCFE62-2E30-6041-A556-00000000AD01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002269413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.044{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.044{5ABCFE62-842F-603E-0C00-00000000AD01}8525956C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.044{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:00.044{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002269433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.856{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740601CEBE169931B203B6E1ADB89FC5,SHA256=228E9F01539F70724124E8D4E1FD3CCFB0C378D143E147FB197F8131BAC629D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-842F-603E-0C00-00000000AD01}8525632C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002269427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.137{5ABCFE62-99F4-603E-8507-00000000AD01}16204304C:\Windows\system32\sihost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:01.028{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE86FD9D3B38E7680AA36508D12598EB,SHA256=571B0664B61D4F1BE4230A1224C20ACEFC56D4454368F49910E19E57E108EC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:02.872{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF730E46A621721E606D2CCB1B6A132B,SHA256=12169D14F58443C6036A590EBAD7DF921539311B0FF295E07883E76AD81220A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:03.075{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE811112B8E4ED36601C225202AC4270,SHA256=DB2CB6D1ECA2CF9EB5E3725EAE13B6052FA14AEB41A5CF4AF18AEC9D09A00B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:04.481{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED69DAE223AABAD055F00AB98F86C018,SHA256=2847D6352F8DAA0EAED6838469E43E2EB08B0FD26F6DA4C934A8B7F0B24741AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 18:59:59.811{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49780-false10.0.1.12-8000- 23542300x80000000000000002269436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:04.106{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77E4D817B176C36EB6CD20110570F7A,SHA256=A1C8055AB868EC879CC9ECB3994945535CF735E0BB55EB5608D7BB4A53D1FC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:05.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75337A03826D64FBC4847FE9694D8D0E,SHA256=800ECA8FC72F14AE1BF18682A24E707F7F0B75B68B1F49A2053A395B394F3E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:06.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6516DDA640215F59E408DBFB37FAC92,SHA256=DD27C8C735F1F0603D171C32D05363A8A500CAD1852CF65A6F4817D1AE436A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:07.137{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4DB29CD4CD3E16A00812E09EF1E995,SHA256=23644FDD9A49829526EE9243EC40DC2830F9DA80C6DDDAAA44A1DFA4EA8A1863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:08.137{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A15D43A47CAE141970FE1E315693B4,SHA256=047FACE340B0A0B40A072706744ACF89DD71656AD6EE3081871B7A9DDBFF242E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:08.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED6008B2F7385D38B16487BB83390617,SHA256=54BA3ECB4291AF7893E128A6BE80EF99ED2549BC0F6051C555D6A146D7E89BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:08.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2881A96136F6A78E9283BF5709D7D545,SHA256=CCFFCB7CDF4761E70D64710C4B79C89CFC760A5112313BCFCBEE0F9A72B7C5F6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002269458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000002269457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000002269456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\AddressTypeDWORD (0x00000000) 13241300x80000000000000002269455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseTerminatesTimeDWORD (0x60413c49) 13241300x80000000000000002269454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\T2DWORD (0x60413a87) 13241300x80000000000000002269453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\T1DWORD (0x60413541) 13241300x80000000000000002269452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseObtainedTimeDWORD (0x60412e39) 13241300x80000000000000002269451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseDWORD (0x00000e10) 13241300x80000000000000002269450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpServer10.0.1.1 13241300x80000000000000002269449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpSubnetMask255.255.255.0 13241300x80000000000000002269448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpIPAddress10.0.1.14 13241300x80000000000000002269447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:09.934{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpInterfaceOptionsBinary Data 354300x80000000000000002269446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:04.873{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49781-false10.0.1.12-8000- 23542300x80000000000000002269445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.153{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294B0F97304C7BF800366DEE7CCE97D1,SHA256=87566106702E9BA65F161027B49E07A67A726242B0A35E197CB02FFBFEACD14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:10.950{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED6008B2F7385D38B16487BB83390617,SHA256=54BA3ECB4291AF7893E128A6BE80EF99ED2549BC0F6051C555D6A146D7E89BE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:10.450{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002269461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:10.169{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6DDBB61D75A6A26C910B69C45C37E8,SHA256=734A9BC43B237AEDC63DC6787F9FB9B6242137C594ECB99FA1997F9F7F7C1A18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:10.090{5ABCFE62-842F-603E-0F00-00000000AD01}2964044C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:10.090{5ABCFE62-842F-603E-0F00-00000000AD01}2964044C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:11.997{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679D0B5CCB1D871B893783689754AAF7,SHA256=4088E3D51ECCAB2966E336E45F560482691AE52F1763097BAD47E0D9C6F0768E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002269480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002269479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002269478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002269477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\FlagsDWORD (0x00000002) 13241300x80000000000000002269476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\TtlDWORD (0x000004b0) 13241300x80000000000000002269475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\SentPriUpdateToIpBinary Data 13241300x80000000000000002269474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\SentUpdateToIpBinary Data 13241300x80000000000000002269473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\DnsServersBinary Data 13241300x80000000000000002269472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\HostAddrsBinary Data 13241300x80000000000000002269471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\PrimaryDomainNameattackrange.local 13241300x80000000000000002269470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\AdapterDomainName(Empty) 13241300x80000000000000002269469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\Hostnamewin-dc-228 10341000x80000000000000002269468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:11.965{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002269467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:11.965{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000002269466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:11.512{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:07.686{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-228.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x80000000000000002269464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:11.184{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEB487936A169707F288A04DAF0E6AF,SHA256=D3598F92405C820A1DD85A4AEF31AB990DD0E6E2208E31894A4574B0186A9DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:12.637{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=600D78202126F8D831DF0776A909FD34,SHA256=2267E2970BF1C7AB15922AAF7A9DE40BB6C90E095F99728418669E8F0BA1FDD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:08.202{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49782-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002269483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:08.202{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49782-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 23542300x80000000000000002269482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:12.200{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3333A91F77D90B294D33BFB5B5864A3,SHA256=B445558B25CD927DD37124158506AA362D72F2B330DA499893D605C1ECE4104B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.730{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.14win-dc-228.attackrange.local54374- 354300x80000000000000002269502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.729{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local58986-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002269501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.729{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.14win-dc-228.attackrange.local58986- 354300x80000000000000002269500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.729{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9820:3fb3:1e2:ffff-58986-truea00:10e:0:0:0:0:0:0win-dc-228.attackrange.local53domain 354300x80000000000000002269499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.729{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64802- 354300x80000000000000002269498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.728{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56117- 354300x80000000000000002269497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.728{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56117-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domain 354300x80000000000000002269496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.724{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60247-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.724{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60247-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.723{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.14win-dc-228.attackrange.local57993- 354300x80000000000000002269493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.722{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local60246-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002269492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.722{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-228.attackrange.local60246-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002269491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.720{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.14win-dc-228.attackrange.local59678- 354300x80000000000000002269490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.720{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-228.attackrange.local59678-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002269489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.720{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56397- 354300x80000000000000002269488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.264{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local49783-false10.0.1.12-8089- 23542300x80000000000000002269487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:13.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB3C5AF219015C7F9024DDAD35A95372,SHA256=C11E3E2BFE834BBE7780B00A8BAE495F29E750C13A3C6C5F7B826289B066D731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:13.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACB2E93303513998C3AA11B622E2869,SHA256=FDEA840FD1DAD88B6B86E9D29D7B687B1D2C6362ED190B32B3EEA8F580429682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.981{5ABCFE62-2E3E-6041-A756-00000000AD01}69206312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.887{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F786CB6B6FC417D413B398DC2033766A,SHA256=D034C97027A6F63BA085FAC76CDAFE1E3745829D85B46C1F2FE142FAC8B71A30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E3E-6041-A756-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E3E-6041-A756-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.840{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E3E-6041-A756-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.841{5ABCFE62-2E3E-6041-A756-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.622{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349A3A4D432E1AF40CE0CCD09BED2982,SHA256=AB048F9EECD6D603B158B77DA61D5C5240CE8AD9C9A48C570542DFC81E3715B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:09.936{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60248-false10.0.1.12-8000- 10341000x80000000000000002269522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.294{5ABCFE62-2E3E-6041-A656-00000000AD01}46044440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E3E-6041-A656-00000000AD01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E3E-6041-A656-00000000AD01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E3E-6041-A656-00000000AD01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.169{5ABCFE62-2E3E-6041-A656-00000000AD01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000002269513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002269512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a687428) 13241300x80000000000000002269511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d71120-0x39cb67a7) 13241300x80000000000000002269510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d71128-0x9b8fcfa7) 13241300x80000000000000002269509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71130-0xfd5437a7) 13241300x80000000000000002269508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002269507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a687428) 13241300x80000000000000002269506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d71120-0x39cb67a7) 13241300x80000000000000002269505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d71128-0x9b8fcfa7) 13241300x80000000000000002269504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:00:14.169{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71130-0xfd5437a7) 10341000x80000000000000002269553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E3F-6041-A956-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E3F-6041-A956-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.965{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E3F-6041-A956-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.966{5ABCFE62-2E3F-6041-A956-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.903{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83572795E78008ABC195CBDB9313561B,SHA256=473863959C645349320F4BA20C3685655DF48729B8E05EA5B6814C214D80D630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:11.639{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58370- 10341000x80000000000000002269543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E3F-6041-A856-00000000AD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E3F-6041-A856-00000000AD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.340{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E3F-6041-A856-00000000AD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.342{5ABCFE62-2E3F-6041-A856-00000000AD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:15.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765242C7A9FC3522E5C9CE3FA66CD123,SHA256=F407B949DD3F5476F6EA7788D34C4CA98E6F3B906B5DDF6C87D4F9087A5A4ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:12.638{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58370- 23542300x80000000000000002269555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:16.325{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5EC1E8BB606F8D2739F044FEFBECB7,SHA256=782B69344E1E28A53CD22FCE776AE08884481246B9C9FF102FA8C950B8A2FB9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:16.090{5ABCFE62-2E3F-6041-A956-00000000AD01}58205792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:17.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FDEFCEEE7B05E2CDC180CC4258F6F2,SHA256=45090B0991F7467E036A84FEC201A9E2695A63A8EADB438388CFC7CDF473A67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:16.997{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1E6E284CECE79783C05D32A26689370,SHA256=A85020EFCD31C2691F191988C5258BCFC09D5F28AF54B8D90FC076593EDAAA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:18.387{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAB6977833AEF769A17FF2BF555ED72,SHA256=8F1C2C02BD4042786E7FFEBBC6ED70935F5049BC3FF32ACE755AA67C671691E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:18.247{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177AB3545C0526DDD763E0136F94141A,SHA256=1195E1028877B21554B44506F65BDF6B66108EEEE798D1417AF5057470708743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:14.967{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60249-false10.0.1.12-8000- 23542300x80000000000000002269561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:19.403{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEFEB18AD36976D1A1FF6757EA18FFB,SHA256=72F5971A98C9EB148B1B623D5C9D543DD3E66EDEF86C92220A8FDDB1403A8C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:20.419{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB4C523F2D32A64A1D325F0CD27B853,SHA256=D2701E0B1B82609079032393D437218CB0CE6A93FD38DF92299B60F8B05A9665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:21.434{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF035AF3D3D8EEFEDEC4AD2BA0820D9A,SHA256=4B379CA2791F914706303B8E1653B67102D9CD8D61EAC60BBD3FFE01524B49FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:22.465{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E41622C25F2369294ED8095007E81,SHA256=52EDDB9D65BFDA443B8E62FDAFB7E1AFBE6EAF1F5925AAFC0A5BE298D369CA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:22.294{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B2DDC9C50838E5A9B70D960749E534,SHA256=4EF81169E51F2CDE6C2B404F00134BAAAA7AF5435F5EEDBF1D24BCD56463D322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:23.497{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D8666EA12741675E9F9CEEF6746BF4,SHA256=C3045DAB61184062F6D56D8B5B7810CAD51B7F81942A9F3B244AF10A493C99DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:23.044{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=033A4B7E004A682ADD9F1ACD3E9D1434,SHA256=3DC565E33327F964BA92CD8D496BB9ECA6B94337B142107E44E6A0214FD2FE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:20.873{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60250-false10.0.1.12-8000- 23542300x80000000000000002269570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:24.528{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FEBA68D8AD141F7171A914662FFC54,SHA256=D89944962BF2B9804AEDF277A68D28805126274C1AEABB3128ECBE44FAE06FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:24.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A308FEE47DA0EFC20D014C9C97BA71B8,SHA256=250AAF18B4849D4106EB77B403BC686A9AD347094A7FC99DCCE238B5A7C3EAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:25.528{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32142A63D5BA5EBF3CB56E17E4AE9A,SHA256=9668897647D02FE8D5F99EE791256862A397510A66812AB384BEC59A65AE0F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:21.793{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-228.attackrange.local60251-false72.21.81.240-80http 23542300x80000000000000002269575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:26.637{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D507098A4383F919DBF823398C57BBB0,SHA256=3E52F19B7C98A97074819DD9E61CAA8D349FF57C55053FE13AEA49ABC5813CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:26.637{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9EBF126806742988D0C4A64866872B43,SHA256=DBAB9992F562502079B435B332CAC30D6F5466C5A603DDD98A21A833DD15BF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:26.544{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDC3B2F4414B691E249E1BCC80A1E14,SHA256=A750BD5370023E09710BC21140603D0FAC2FF97C304B0B18F6CD7B114574E9AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:27.559{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD25D93BDA111B03DC0FA443E5AA6BD,SHA256=B48CFD53A40D00DF3F50DE794C57DA3BFB0171A9BF87004FFBD9D91D212C9C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:28.575{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4848CAFA85C0ABDF3BEB27647B65EA7A,SHA256=A9E66A62A7E15B74FEF597DEE12060A63917CABC240700113BB53E1B23396FD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:25.936{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60252-false10.0.1.12-8000- 23542300x80000000000000002269581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:29.575{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9722477F7F65764C39F9531713A589A,SHA256=1333AF90C4CA4C3E1E8E1F5041ECF00EE9F58642F0C11998F5A9D8DE33ABC2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:29.200{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761DFE8E736418616653E68B4B937D42,SHA256=AD3B651D6EE36483AA18A175E1203C1BC98A9FDA84F49317CFE247C8EAA03113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:29.200{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F94891EB64F8B1C7DEBC6858BEF44C34,SHA256=13BB7C6C071BACC5F89F7EB59DC79EC9F633C8AC4626B8E61AD8C3ED23EFFF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:30.606{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A0DD627BDE129B4CB2FC0F6BD0D14,SHA256=0B155D904C5CBBFCFC522754E77F1A6266EA6D711CAEB1F3981A20A09544C3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:31.608{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC13D8A6EB0ECDBC9D78185B58455F4,SHA256=BC83636911513DCABD1AC1719B72179901A7B610D1D4EDAC83DC028D18F759EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:32.639{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11CACACF26D2E5DF76B9F08E83BA7F8,SHA256=AE8C104993C96A4BCB31AC362777F06858FFC65E9FDC132B1C94CDFFCAD54EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:33.671{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC75783BBBAC19650C83CC6FBE488991,SHA256=562042B6C57B647BA33C9CE2202FA677E2562E262D565C54A0A0E8059A8E8D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:34.686{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69CFE5A7073594A4D42C3B2FE053A4A,SHA256=7955BD6035D122F8BA5989DEE1EAAEA78DC5B0D5DFCA9A69726DE0FD2F6E2FFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:31.797{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60253-false10.0.1.12-8000- 23542300x80000000000000002269590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:35.702{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AED121818E85B0713173BAF895C508,SHA256=EC5B066D05D6B65201E0E52B63B1E6744B398654FCEF3E1F327F41E01CB32803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:35.092{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=661722C135911B6B8BDD2DB03D4AD026,SHA256=016B7BC93106E430ADE81E117C4F2E5333D5C596A660903C31308DF66A3FA16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:35.092{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761DFE8E736418616653E68B4B937D42,SHA256=AD3B651D6EE36483AA18A175E1203C1BC98A9FDA84F49317CFE247C8EAA03113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:36.702{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891F632517939B7C9941F4C9120F0E77,SHA256=99806BDD273E94DE5D8F06FA01C1D362F1B07353ECD1CF32ECB9E18D7CD0BFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:36.624{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=661722C135911B6B8BDD2DB03D4AD026,SHA256=016B7BC93106E430ADE81E117C4F2E5333D5C596A660903C31308DF66A3FA16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:37.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0D7BE6CEF461017DED8B0C0F8AEEDA,SHA256=3CA03E8DA385E55C964B9EE3971769D76E948CE6E285BF081B07A3034A833A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:37.624{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED116F58A19D10772E3FBEC57249C61,SHA256=3C1FFCA9DA1A72290B0E5BC421E659091154EF6E3464592B3A96C84DFF2EBCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:38.749{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7600562864C53C25FAD01A199B9157E6,SHA256=20998C8268C2E9E3828BD1A44BC7F9EC75962A633616EE835845F57C96502466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:38.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E7423C30F4627B460AE6574B75FE93A,SHA256=6F497E147C3FFB181B726EFD23A4B4DD868D6E4BD8D70A1A3EEA613D48FC7A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:39.780{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A584F6DF0361ED7D277FE24D89FBBA1F,SHA256=87BCFF56C5A73A1256AD1B8EB6D5A3D35325F648EEF53182B575A55B55C97B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:40.796{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3662B5B4994F5C989CE4F57BC8879C3,SHA256=115E0432B643588D577740ED4CA3A25D9A42F420B97A0A65650855EB279B8766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:40.092{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB7A615DF7F1DD8E4C136B2ABFB2926B,SHA256=46AD3440B9E82F644E5186D149D9DFBD5F97EF26CED1347B24E8965BDF953401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:41.811{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB92798F600DB8FCF81F5B964463952,SHA256=9EFF5BF394AEC17304FEFA17AF6CDF50DDE716F4105D9F0CAF278AF20FAD4581,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:36.813{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60255-false10.0.1.12-8000- 23542300x80000000000000002269603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:42.811{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCD73377DF4B5CC6B8A797192FF3D5B,SHA256=92FCEB7C1BC93BDB160E0B0923157FDA4431977706B66503B62E3A2813AC8BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:43.827{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59070FAA4A7EE95346100FEDCC808970,SHA256=154F6962BB92934B399586BD7BEFCB7EA7D5D94B2846448A25B8F13479FCEA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:44.905{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BF59C9C3F6FA4BB2A9F14184F8D45A,SHA256=4F10A43933CC5B34C27C777DF1E5F1BCC1F318EB779BA1AA55071FCF7CEE836F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:44.671{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F80E1D08520CCC9F85AD51525682A309,SHA256=ABABBA1D30E6AFEE91D19B4A17CF2D3D20BAED35C79BE866A368B8F2F310E686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:45.905{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA4D09ABE1B5B43DA09518CC451584E,SHA256=C189A9AC4D866774BDD528589E7B3B17A3C1329B5F4C9989680711581AFAD515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:46.905{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68438353DBE7CC743229A7327DFAF90,SHA256=E9F32D63B82B012AB16935ADBD4E072E0E42B947952ADAFF2BD9BF59626FB653,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:41.844{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60256-false10.0.1.12-8000- 23542300x80000000000000002269610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:47.921{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29075ECD2011559E48A4CD4B1671448,SHA256=9259166363689C4ECD4372CB5B1F77CAD201413C7E041516BE3EB95BC79EB8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:48.936{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19081430DCCFB7F363806D0860BFE70D,SHA256=91E61C54EADF7E85D7B39DA7A62EBB2C42220201CE71444981D16EB6B3E1C900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:48.686{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=606757DB6843F50ABAF14B822A6D6DEC,SHA256=B70F7D4D4BF158375E48EF45AD852E4451D09DE1645098567A95623EA8913D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:49.952{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863EB3B61CB91B8E4EC7D5661CC9F61E,SHA256=156BD30E831721E263B60B7F828C66637B05E3D6B44C19289EAFD5A8E8D707F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:45.422{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53763- 23542300x80000000000000002269617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:50.952{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F91A1F4377C2A7D56D5854A1D5638A,SHA256=BDDFAB4F2CE400C4EB319CD1F78D5526426B2451968111C98E77CFD150D55802,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:46.421{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53763- 23542300x80000000000000002269615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:50.139{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4C9F05B3378ACD0727C4C08B07959A9,SHA256=2A451499D4955291F00BF7DFCF9333B54C26817E83F2D754753B630E190136D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:51.967{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F507627ECFC66C6EF1895C36022B9C3A,SHA256=83C2C60FC6997CAB2F37A1275906140E99E1AF791A07AFD3186E38F57A8F722C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:46.891{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60257-false10.0.1.12-8000- 23542300x80000000000000002269620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:52.968{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F454875B9E4E957696B4F00B878176,SHA256=398B01C1DABA0B29094C7E2ED2D5C110C189FAB5BD73C39176E1929B8413A550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:53.983{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BE4FCF75B7FEB1DF2383095D56DC2B,SHA256=3B022BE371062E2CC72AF3E80504D7E68DEAF9D16E9EC3BF369DFDFCCF4A959F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:54.983{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598FAD783A63585FF82BB75EE9877C2F,SHA256=C4DF2FE3D4CCEB3A8071D55D8B1C3BDB050B10A2DE22F105006EB282B74864C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:51.922{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60258-false10.0.1.12-8000- 23542300x80000000000000002269624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.186{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D50D5EBF2A0F553D571B445A4484E934,SHA256=1102DA53C766597FDCDAE571B35AEE2A7BFF6E0A285462262498DE968501F4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.186{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01305AD5DDC6F13EB83ECBF38DF10280,SHA256=71051FEAE144154275BE5DD73240F644AEA89C51796ADA6FF0D80DE95364D431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:56.546{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D50D5EBF2A0F553D571B445A4484E934,SHA256=1102DA53C766597FDCDAE571B35AEE2A7BFF6E0A285462262498DE968501F4FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:52.595{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60259-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002269627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:52.595{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60259-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 23542300x80000000000000002269626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.999{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40920DB367BA46BC680DEEB51FE8E666,SHA256=777B833923B59E16D0FF054AF3A9BFA1D399983449DB0FC2A3E52065D3943136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:57.093{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3FD25F7C0896246B446FEF76EF24D0,SHA256=106D389B7A71DA101A2CBDA950EA90CA5FD3819F0A7F65E15C78521061BE9FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.687{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C0087ACED26BEC8E2C73DE27388842,SHA256=769A0A2824CC20368F3D795F93EED50AF36C9E119FF543F5C60825C96647E8CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E6A-6041-AA56-00000000AD01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E6A-6041-AA56-00000000AD01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.405{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E6A-6041-AA56-00000000AD01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.406{5ABCFE62-2E6A-6041-AA56-00000000AD01}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:58.108{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40A7FC904A2984AA904D1EF563642EF,SHA256=65576B4E207F71CC09A74A049571032222A8211524D598CCECB869C2D53D26FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.719{5ABCFE62-2E6B-6041-AC56-00000000AD01}34966164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.703{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE2DB57F50F1E6441517FA64A8B5BC43,SHA256=36F8307E186870E990D0CD76FF7C7F3463A8B18FCF8A7C0CF7673D385D1B5A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E6B-6041-AC56-00000000AD01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E6B-6041-AC56-00000000AD01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.594{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E6B-6041-AC56-00000000AD01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.595{5ABCFE62-2E6B-6041-AC56-00000000AD01}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002269651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.422{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60260-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.422{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60260-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002269649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.109{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34323089FAEDE92D9032B2DD6429451,SHA256=B8CE4BB1AA4C36E8D8AB2CCCE97A553F58A062DFB50B249BA7479B43C3BFB1E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E6B-6041-AB56-00000000AD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2E6B-6041-AB56-00000000AD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.078{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E6B-6041-AB56-00000000AD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:59.079{5ABCFE62-2E6B-6041-AB56-00000000AD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:00.722{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D20C056A0C97C2122C35D64ED52AE3C5,SHA256=95EC2BF0DCC56D6B01B26F4CD0BE29759F06052F23CD240276E551E978F77C9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:56.438{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64384- 354300x80000000000000002269663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:55.437{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64384- 23542300x80000000000000002269662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:00.125{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BAB680D0F92346B59F3AB941C97C84,SHA256=F9F3C6AAA698515A5D6799F96A2CEA9293AC9D2CC0F12FA6228B75DF458EB9AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:00:56.955{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60261-false10.0.1.12-8000- 23542300x80000000000000002269666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:01.128{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30C68B7F19ABBF2A4C49492404DEB59,SHA256=D8E55CFF9F88FE3151352B5963C914B6C995C884CAE5B546258BA10C41068F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:02.706{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7446C6C1C340EA509ADF17CC01D89002,SHA256=5441D39C1F02AD5501451B1A5E0410A7F2C50E19226CF8119F782D0BEA833C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:02.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF44C0A41F3A551DF4676C2272D70DA,SHA256=B7E5FF18925ED122270CC7F69EC70FD41E6496E2BC0C2B21276ADECE2F0FC9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:03.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F1A8B0E328517CAF7CADE42BB181E3,SHA256=816E542614CA4457076E8417A593AD819A83A2F0D47BEB1EA80A360A790E0370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:04.175{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496684531F7DC54BF91D4389370C2908,SHA256=8C6CD98EBA01E9F01CC80E5A4D2E090B1235603080C7A95A22E334651F79397A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:05.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30F7C70C865D36EACDE3DA08AC5AD46,SHA256=61059742FAECFF8C7BF78B788B5340E6197D9226470441E590B775751EAAA7D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:02.973{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60262-false10.0.1.12-8000- 23542300x80000000000000002269674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:06.269{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC8D77EED536877D35BF4B6FEB993B1F,SHA256=075A222174486EA5E8434820B9D840F97CD1CAFB933405F4A99B87431C8029C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:06.206{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3BB43F5F5697717D631BA8AD9F4AF0,SHA256=3928B5446097D1CA1A090ADA29391089F001F35752C10C024BFEA9E71F7CDCD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:07.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8659F8B4244CF432F758E467C5B9117,SHA256=ADBBF648C5A5B735D1385DBBBD6EAA547CC5420BAED84F0E4103EAF629E2C164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:08.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEBA918A92963BD2A9890492768F420,SHA256=542F7308C478F0B4FDBC92944F59326FFB29F0F30BDB93FF028E4E1164531797,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002269694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-2E75-6041-AE56-00000000AD01}6440C:\users\Public\QKumYdZSplan.exe 10341000x80000000000000002269693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-2E75-6041-AE56-00000000AD01}6440C:\users\Public\QKumYdZSplan.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-2E75-6041-AD56-00000000AD01}66365556C:\Windows\system32\cmd.exe{5ABCFE62-2E75-6041-AE56-00000000AD01}6440C:\users\Public\QKumYdZSplan.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.256{5ABCFE62-2E75-6041-AE56-00000000AD01}6440C:\Users\Public\QKumYdZSplan.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\users\Public\QKumYdZSplan.exe 8 LANC:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5ABCFE62-2E75-6041-AD56-00000000AD01}6636C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\users\Public\QKumYdZSplan.exe 8 LAN 10341000x80000000000000002269686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.253{5ABCFE62-2E2B-6041-A256-00000000AD01}26765604C:\Windows\system32\conhost.exe{5ABCFE62-2E75-6041-AD56-00000000AD01}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-2E75-6041-AD56-00000000AD01}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.238{5ABCFE62-2E2B-6041-A156-00000000AD01}56165048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-2E75-6041-AD56-00000000AD01}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d2432b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e3e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d195473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6a49a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c702e73(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e64d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e64d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e6369(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6d82ee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e4821(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e43bd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e3e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d195473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6cac6f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6ca23f(wow64) 154100x80000000000000002269679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.249{5ABCFE62-2E75-6041-AD56-00000000AD01}6636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c C:\users\Public\QKumYdZSplan.exe 8 LANC:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002269678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E02CBFD54161DC45CA298D0B53AC33,SHA256=677D0B894DFCB12EF876701A36424128031B81AB39B3C3D8A973E48167617BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:10.269{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397C0AD38B9BD021D2F475DAD6371FAA,SHA256=EA08C6EE2F3ECB30ABAF303FCE42E7CD0C026C2ADFC1C0ACBFDD6BB339F6EE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:10.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C23C71002D5F255F4B62D53974087D9,SHA256=85CBAEA23C348FE445898953A11154E6D25A1FC30337C25240225776FC06EEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:10.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708BFA435D0021A80299CEC43D2DA496,SHA256=CA371039456180B73C0E3A33447D2CA4D7A064E316CD336721297BC517A9B212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:11.534{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:11.300{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6257E459B8E3BA40FE5A890E45B9765F,SHA256=1B5BF8F6ED278B217370941C4237E07F4EA9754BC2578D4D02EEE7FFA4205F2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:09.270{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60264-false10.0.1.12-8089- 354300x80000000000000002269702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:08.801{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60263-false10.0.1.12-8000- 23542300x80000000000000002269701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:12.316{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F529A393339E8B710382C8001323D38,SHA256=88BDDEA9CFB2435FF6468CE04D73C7A530E22B2F35BEA9DF7EB4E9B1D45D2C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:12.081{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=841064EC79AF4D383C7EFCEEAA96A3F2,SHA256=258E610117FA589E5D93113CB7A57896E420AC649BC572EC6D96D6AB026F9A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:13.316{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B75B6408665E981F5A807645019E6CB,SHA256=1C46344F95FD593F067A59AD0ADABA6616608155E97300515D78D24E220A7D39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E7A-6041-B056-00000000AD01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E7A-6041-B056-00000000AD01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E7A-6041-B056-00000000AD01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.863{5ABCFE62-2E7A-6041-B056-00000000AD01}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002269742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.597{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.331{5ABCFE62-2E7A-6041-AF56-00000000AD01}71484016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.316{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41952852A47BBB140178683D0ED2C0D5,SHA256=8D09CFD793703E0C50704C0181ADB95AE287C764CCB35F8E4C44A9C605547073,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E7A-6041-AF56-00000000AD01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E7A-6041-AF56-00000000AD01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E7A-6041-AF56-00000000AD01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:14.191{5ABCFE62-2E7A-6041-AF56-00000000AD01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002269761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.488{5ABCFE62-2E7B-6041-B156-00000000AD01}68924272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E7B-6041-B156-00000000AD01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2E7B-6041-B156-00000000AD01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E7B-6041-B156-00000000AD01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.365{5ABCFE62-2E7B-6041-B156-00000000AD01}6892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.363{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89DA29D24FB1AB677D7CF83D44F5C4A,SHA256=9203C0EADFC20DF7C9AD6FBA0940A1A11BA98E02BF7BCDCC8E22BC5BF14FB333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D54826B09237A9D62C5E5175EF499B37,SHA256=482F4C46AC531214E39B60FB48831F0CF6E94870964C68EF15D211DE706258F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFBFD320E0E2F032580BAFF6FEB62A9,SHA256=149115E332FFFF819DD5BC689BCF801D9FE2C780E0AC93FDCD28F2C92D90CB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715125B4BB9683479A656C549A51FDC8,SHA256=7ADBC930DD0CF6C0A830658A76950AE269B8AA471ACB65E80047E34E34AA41EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.159{5ABCFE62-2E7C-6041-B256-00000000AD01}50006392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2E7C-6041-B256-00000000AD01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2E7C-6041-B256-00000000AD01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.034{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2E7C-6041-B256-00000000AD01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.035{5ABCFE62-2E7C-6041-B256-00000000AD01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002269774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:13.801{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60265-false10.0.1.12-8000- 23542300x80000000000000002269773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:17.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B44AFC8760B8D69EB03871615CCA86,SHA256=2BC94709BC00202E413ACDABC25822C594DEB285C3F3484E6C6CA0C18462D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:18.394{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFABC703F2DCD0904A6884ABD3CF337,SHA256=FE8D94B5CB4F8D175B52823E0E9DD14DA49741A73967BF40241139219048F279,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:15.988{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56482- 23542300x80000000000000002269777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:19.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4279E2E32100205B4DB87F7708114C36,SHA256=98D834D7AB262087055D02C8B7D001BB1F1C924A3BF180D9D10A214820EDC478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:19.331{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=933ABBDC82262916E751D262462BA2F4,SHA256=E9B0182589743EC2450FFF894B95527B7613726F9D9F9BDF19FC6E8A4744871C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:16.988{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56482- 23542300x80000000000000002269779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:20.456{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDE7C86D2C7D28EC274518BF209A8D8,SHA256=45E85278D4CD3EC6FA8D134411E11F79853DEC8712778767E070EEAE94898FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:21.472{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7A320878A9629EF6FABD184F402954,SHA256=6C5B7949B88CB5430C9CEF8C94DEEE7DD3FE7EA631C2E3AC6D055791BE8B81B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:22.488{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81B6F48807273442D3860ED01BAAD94,SHA256=58B709FB2C044B0DC80824A799274E2E82679BD40D34526C67A1B30DD22BA60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:22.081{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28086E6E06680D8694B8F86A034970D6,SHA256=442D017917CE06B0FE59C7B4799AD14C4B29DA37DF629EEA92EBAF586FA2D1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.488{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C618470C3CBF3B9D0C53C6CE614F10B,SHA256=8C0646B4829874D1F459DC16DC968A399894A5C0DBCFD7D35657015D3DC05350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-2E83-6041-B356-00000000AD01}5980C:\Users\Public\QKumYdZSplan.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.472{5ABCFE62-2E2B-6041-A156-00000000AD01}56165048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-2E83-6041-B356-00000000AD01}5980C:\Users\Public\QKumYdZSplan.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d2432b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e3e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d195473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6a49a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c702e73(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e64d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e64d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e6369(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6d82ee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e4821(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e43bd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6e3e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d195473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6cac6f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c6ca23f(wow64) 154100x80000000000000002269787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.478{5ABCFE62-2E83-6041-B356-00000000AD01}5980C:\Users\Public\QKumYdZSplan.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Users\Public\QKumYdZSplan.exe" 8 LANC:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5ABCFE62-2E2B-6041-A156-00000000AD01}5616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002269786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.284{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0263D001F56FB6FD73EAB595EA11608,SHA256=4F0F308213E1AAE86261BA8765B30903E21BEF61BD02365CA241DFAD23CD7405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.050{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A58CA174081A5B07F9A8155A8949F79F,SHA256=81154BD7EAB1F612146BCB770A7F0ED225A87E7FE0A264526EA8510BD8F90646,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:18.832{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60266-false10.0.1.12-8000- 23542300x80000000000000002269797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:24.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6A4E263CFECA5782FD84261584F00F0,SHA256=5DA0B10FE556BA8EECE03A14C4EFE7E9A748010C18C17F26F1AAD95DE5503AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:24.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983179CCB1E11B3E4020A9F594E59404,SHA256=01203FB72EA431A357E4B690A236558622E996A3181B2DBE2974A9C4B5E276E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:24.488{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E78DA0E85420435CD08D52788A20F34,SHA256=928E7462D1C02F4CDACA5408103BBAD03708AA421A17B704F46D3A03A069F724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:25.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA4B5F4F9284B4A0A4CFAA19E2C15E8,SHA256=5CABD38173627ED5C763300AA169328A5FA7BBBAB1D94D95A52607EA8F5461E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:26.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7819A7478E1B1BE78BCCE5CDC321F67,SHA256=F4121B5843C46302F082186539F42BBAE46F519AA852621D10E0AFD4F8DE5496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:27.581{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FAA595014E384C36EE536BDB6D3B8E,SHA256=9DAEBA60CA80D841CC58F52C3B03F3925AF9273BA70653D568764AC93D43BFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:27.159{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2921585D7EC1C7DA430E6E34A84AA69,SHA256=2F1D4B930390DC23A9106CC7227AE0C8B36481F7785F7D5456F65EA6C06B4C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:28.581{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B16BD2D234158C7DEFC39CD08CC6B6,SHA256=C890A73DFFDF65D875AB7A9B40B91EF8AA34CF93A970C76633A66E23444FF492,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:23.864{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60267-false10.0.1.12-8000- 23542300x80000000000000002269804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:29.581{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91CBE11824E95F3993C3C38A099387F,SHA256=30259EC9112B3CE7D4FFD1142B74254AB1B0893A4526D484D11B402B660635E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:30.597{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79797440BD5FF893DAF33E2F3DD09CA3,SHA256=151E0EDF7ACB99A7C97F6B68F69ED7DD06C5895AD3736C7D9C17E7D9DE7E3FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:31.644{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3150827B0C1FAB0E16EBF11D0ABA41D,SHA256=C186F3F357DB01A561F5DA89B800295E762B72B1143D2164F903402D112BC126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:32.675{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62CA82836AE418222E4E2C7B1FCE4A3,SHA256=51499C69586FD1D350AAD6D0F4E5649C3E68E5CB2E29F45719CBA72697EBE0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:32.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B0E2F64DD81D5BF8315B37FFD63B5EE,SHA256=3D4E9C7D4196745BD4B0538AA9F734B23DCCF8EF287A9C2B4EFA93BBE34799B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:32.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=551B184CE4973D3A1C0E04DD92D82911,SHA256=BE57621911495E74805BC209757957FA5589C4BBF86B3E53DA72548FD7B19ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:33.706{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F662E3FA9155E0E7951BE83ED1057E,SHA256=608D5E613FBEF6CACE62BBFE068974074389E3E73A49298E140FB5CF6880988B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:28.911{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60268-false10.0.1.12-8000- 23542300x80000000000000002269812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:34.706{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7FFC77F80BD818B1B9A59AD3FE1C8B,SHA256=6C04814F46391E02D5B7135B0CD5043034AF154A973AC612E493328E262DBFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:35.753{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DB1272954E4D3956F09EDB8EE4D21E,SHA256=3083C0BCFF8CE17D7B4511BA2B91DCC7C7A26BF90ACEE7DF9A59579DE6F592B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:36.769{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4C2192442BB135A06C35DB94C1F16E,SHA256=C80258D145F647DD1111D760D9F6D8B363C850A2F8EA187AEE1F277ED5F20516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:37.784{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA4FF78CB863457C53FF1A169FDA1EB,SHA256=EE4FB421FB8A9DDF76DBB5F6C82D75C5E56EDD80B6D950B8DEFDAF616315D278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:38.831{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBB04E9326D0EE925D16A497A31AB2D,SHA256=FB1B3C3F05F9C7E5C6CC115F626407FF5A25B27C1EED7CBBEA3AF1984C9F2E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:34.911{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60269-false10.0.1.12-8000- 23542300x80000000000000002269817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:38.160{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1AA8C6731448C3BCBAF7EDDEF03FCF,SHA256=FD0D07A4D283BA9B7F13105CFFED96D0480FE49326692A3D1690BF7E63AABF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:38.160{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B0E2F64DD81D5BF8315B37FFD63B5EE,SHA256=3D4E9C7D4196745BD4B0538AA9F734B23DCCF8EF287A9C2B4EFA93BBE34799B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:39.831{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278DDF64F4831923DC15934302780A77,SHA256=4C86CDA4990DBB9D9858B333162A5C47036A1C1E6EA8C3147D8524890B9628C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:39.753{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1AA8C6731448C3BCBAF7EDDEF03FCF,SHA256=FD0D07A4D283BA9B7F13105CFFED96D0480FE49326692A3D1690BF7E63AABF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:40.847{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB7C7FD023D7848265EC54C6B6E1F73,SHA256=B8487D75406AEDAAB62E682EB149DFF8E10A26389F4182F20B721C28DAC95FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:41.863{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE6D24B2A4CBFBB0C68299162FD54BF,SHA256=3842F623E5D47C51D6C9E1112954BA19113F8B40B16C0B2E7F9E3E8B86FE0314,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:37.738{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domain 23542300x80000000000000002269823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:41.003{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC361A965CB809CBB8C12B61AD232F92,SHA256=2B22EAD79599F31C290F0BC63D86C68C67B346368B8A620A531F46E91EB10278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:42.878{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B10F7D853B25F31F812270505F8523,SHA256=E6EFBA19501A06B5E7528AB9592F0E680F1087F252E09802BAA7FE1C67F05085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:42.019{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CED37D29AD0EF8D2F5447FECF4EA5C5,SHA256=20B25679D248C97A15760003949543CB443FA98D631EB7905139EA2B8DC3B714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:43.925{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE27029A809ECAF96B78440B89BF893,SHA256=0F903D2B368B05A94CBA30849A8DEFE07F2A07F26BEFC0772E5AC315093A36EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:39.973{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60271-false10.0.1.12-8000- 23542300x80000000000000002269828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:43.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81F6DF2EDCAFDAF2B8852B2B015670B6,SHA256=2ED39B8FFBA5E899C73BD084D735F9D5BE5D8CFA86AF37A7ED9B364E00AAA165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:44.941{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788F35D3D13EAB95861CB1529C19003B,SHA256=88E02DC4A7DFB1022E5C9C384BB3CE3D8BF49A26125DE427F808B1C9429D13AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:45.956{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198BAB6DA11D94C517FB8ADCE4BA5DD3,SHA256=814D5435D94A17232916039A8C6DC2DBCF7BFA24557C53231421908892B5BF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:45.066{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD9D7C9F080C987430A5C6150FD8B628,SHA256=FCE49192083A1F5A4183E4853D3E44956F1E3F2AFA05B2C66E011BF186E57198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:46.972{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C7E7E1EC103D8654FDE087BA4701F3,SHA256=D7124538B9AF54D736941DDCCBE09CE340763EE211C9698EEAE685A69F97FC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:47.988{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8086D143FDDDEE255677F56F4F1598EB,SHA256=B2C9EAE514A360748D4FD0B9BB3E9BB1F8662829B99A6D31EC93EA51D0EB34C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:45.801{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60272-false10.0.1.12-8000- 23542300x80000000000000002269837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:49.050{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47EF8CE3CD3D9868D355977AA6305333,SHA256=9D8FEA35EBD613F5DE48F6DD5B02E22085DCE55A26B86D4C9956A5B17A4A9ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:49.003{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E387642BDC9A36F68B9B93F76B6BF38,SHA256=11A36285BBDEDD90C40139F38BC6786C5A3B723AD77790C4052BCC6C9AC9FFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:50.035{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689901579765CC577957C60CF72F391B,SHA256=E90448CBB2D8A31D01B03B94150DE727CD016C7EA25F129AC28C0AE2B240FBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:51.081{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB05062A835A7BB4E37BB5FB5CF3FA7,SHA256=33A2A253445327DACDFD46D14F13F0911D809C3337F22515DAA9DF723FF3C258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:52.081{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00AF97717278775ABBD042D2EAAB2DE,SHA256=30B47CFB597438FD8C61D0B190508CA8BA3E2F055E681DF63B65037C18232CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:53.097{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BBBDCF686AD77764A5729796CA4750,SHA256=0EB543CBDEFC26B5606A0F60445F7F526951D431642C93CBB1C6CA1329F37C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:50.848{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60273-false10.0.1.12-8000- 23542300x80000000000000002269845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:54.113{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502CC7B17F94770EDA4AB2FB7DBCA417,SHA256=5284872D802178AFC2945D1DF0DF842CA62419F64E048A02FC0C131CAE22EFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:54.113{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875EF5BACD6C7D9AF840084E1D0D100E,SHA256=ED532C259AE6A536FCE850EFBE65C65943C6E25667F747516E30A0C0707D9B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:54.113{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAAECD4F444F4460BC0B2D1F21770B6,SHA256=580702D84D0AA81E5237476081E0E2E1E0C06EE16A594B77EF7F9B42CF54BE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:55.128{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D65C5727F260B5A7EB259CCBFCF45F,SHA256=079E30193AF065D3BCCFA75175067708C90DB52CF0D199F8F06C61CFFAFA8B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:56.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D968B37AEE5AAC7F7F5A4D5F97E72EC,SHA256=D8B7A3B09566989E3110EEC7FD025F11D431A0A4628A014A1D1411AF3403F42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:57.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC5880E8A5539C3DF5DFD14603DC6D7,SHA256=91A19B4F46F9159F1172E28310864FC2358BF8EED89953DB10406FD91DDEBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.676{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502CC7B17F94770EDA4AB2FB7DBCA417,SHA256=5284872D802178AFC2945D1DF0DF842CA62419F64E048A02FC0C131CAE22EFAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EA6-6041-B456-00000000AD01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2EA6-6041-B456-00000000AD01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.425{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EA6-6041-B456-00000000AD01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.426{5ABCFE62-2EA6-6041-B456-00000000AD01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:58.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B230D2C2B50DD70E0B690BDC4757C19,SHA256=3774BD5EF17365DD6885B30EB8E78DC09EF0ECE30447CBEE144BE4AA5584EC99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:55.426{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60274-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002269878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:55.426{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60274-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 10341000x80000000000000002269877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EA7-6041-B656-00000000AD01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2EA7-6041-B656-00000000AD01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.770{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EA7-6041-B656-00000000AD01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.771{5ABCFE62-2EA7-6041-B656-00000000AD01}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002269869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.223{5ABCFE62-2EA7-6041-B556-00000000AD01}61004388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.192{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A56864D47FE3CA8A0ED85CCD87042DD,SHA256=D1C3C56EEFDF268CEB0A6802E9180603BA11BBB67EC7BB53FE0EA50782192AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EA7-6041-B556-00000000AD01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EA7-6041-B556-00000000AD01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.098{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EA7-6041-B556-00000000AD01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:59.099{5ABCFE62-2EA7-6041-B556-00000000AD01}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002269882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:01:55.864{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60275-false10.0.1.12-8000- 23542300x80000000000000002269881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:00.223{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E548E00A132D36F320DF0D64823804B6,SHA256=1BCF220A36EFBE1C6DA16336AA767830640D28C2FC13178978F50E6E86F4B0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:00.114{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03CA5F7E11AC58D3A808FF7AF3D91F33,SHA256=4828C2B9953A36613901B0A6F1D4DD07F97E230EB4E204A95721314CF32D0D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:01.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441ABECA47739AB0C2F1C36B223F6FEF,SHA256=22958FED4363D9D9BFFA5B115A4BC5C7335B1D54C99521B394FCC8CDBBCA4CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:02.739{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46CF0DFB6A39629E1889507936ED7BE,SHA256=99A8E8C14768C6A6C6B265139F4ED9620748D99E8C04EF633067FCC03B0B7657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:02.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983109E61B22624C15B256AB179EA3F3,SHA256=3581DA80B87711477A94B4D869F7F5B370B165BBFD944891A1AB1D14E590E272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:03.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B57C93B65C0D544BFFC6706F0A21B06,SHA256=E08C515F31A261EB17FCFAE7F1B7CC989A6AEE405308CFE6CE967E64ADCB1C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:03.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E14CB91FE8244DDBB1DF01C4DD0BCE,SHA256=B046CF3BD16486FD14F3052B95C12D24AA55C61BBD3C190094529014894CC8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:04.270{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AF2EA96397FC91587EF9E363743885,SHA256=92A501B5752A1F65859D40A34945B9C8DADFF6361EB18F6D01C0D1B8DF69157B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:00.881{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60276-false10.0.1.12-8000- 23542300x80000000000000002269889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:05.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE3F0B012EF524960A68071E0525A2,SHA256=89617B26E9566D7B42BB9F382E76C7819B3250611F3F1D75B0149791133A5568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:06.317{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFD22F9104DB45A1DAA24C1151F6EB9,SHA256=CE6B14F84BDA9AB711FF7E8EF009DB7737A8781FA7863BD556FE2FB99272F642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:07.333{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F2EAC1E96F04835803237F89662885,SHA256=D624651AFA2992459DF514342A290B905053075BB7D4348F413104626D0CB0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:08.348{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0327B3B3883D24FB3DDECEFF01F0118D,SHA256=F4C1AA40A693E750153D68B0EB5AAD9D40B22DD7857983985CA5676612868397,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:05.927{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60277-false10.0.1.12-8000- 23542300x80000000000000002269896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:09.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77232E1AC8B96D62C6B066A024ED7BE6,SHA256=D666662F3856B639668E49A555B5691AE4F96C5464730DFFC1EA60DD6D825500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:09.317{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D1DA1310BA9DFCF02546366F06744E,SHA256=36C993DE28161983FCEBD72ED33870788CB619CE402442E69FD0DF3CC87DE342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:09.317{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2CB18748A673AA4E539AFC7BFEB8F0F,SHA256=81C42EE337FC3992AE44A33F965C258BAC59B97864AEC8A7D30A80441876B6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:10.786{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D1DA1310BA9DFCF02546366F06744E,SHA256=36C993DE28161983FCEBD72ED33870788CB619CE402442E69FD0DF3CC87DE342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:10.395{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B2549A4D640A02C8D798F348A78E68,SHA256=D7645E2F7F44C25296A43E4A6FA606529DAFDC46BE4532CCCECD7A9F3505883C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:11.552{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:11.411{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA36793EB92F89E4094DDD9B0762568,SHA256=BF152A05EE44A82D8A1EEDEBC13DF01159C4A4DA797F6C1DCD4806A3BE0D276A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:12.645{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C11A13ED73B0C8005D774E736E0699,SHA256=CC9D96A374155027756328E8296B4BB0C2117AF38DB1A8FA9E34F05D867FB598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:12.458{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2809EF99F5ACA191DE0553B4AE945D3F,SHA256=5A788E2643F8241FA29974C0DB19FA934FEE667AC1C1CB19CC92EA6CE458E95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:13.473{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D90966EBD74ACABC60850583EFF799,SHA256=B266070240B48BF24744143B6838836839E3523854640E9807F17C7C204C5CF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EB6-6041-B856-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2EB6-6041-B856-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EB6-6041-B856-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.880{5ABCFE62-2EB6-6041-B856-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.489{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4FED6208560F146AA7EB8A4B583634,SHA256=C55B6B8EE012194FA00ABD6E15CF1EF612806D11FFF195E410B588FE4D190BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53FEE8E61782432DBFB688F0E6E5CF9,SHA256=C00548A7ED42F5A45BD82DA98EF2CB20D3B5B97F3C0101B768127241FA248F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EB6-6041-B756-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2EB6-6041-B756-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.208{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EB6-6041-B756-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:14.209{5ABCFE62-2EB6-6041-B756-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002269905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:09.287{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60278-false10.0.1.12-8089- 10341000x80000000000000002269937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.692{5ABCFE62-2EB7-6041-B956-00000000AD01}35723684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EB7-6041-B956-00000000AD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2EB7-6041-B956-00000000AD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EB7-6041-B956-00000000AD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.552{5ABCFE62-2EB7-6041-B956-00000000AD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.505{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB30939D452FAB5525A074A0805C187,SHA256=E290E6E3E324D9F025527D86C949EC6E3E8190EFE8956ADE88C7EC66C077A5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78ECCF75361D894D623C458176552A1C,SHA256=08D6B85E1237C59361717FDFE326C6E47002F6AF378E9B9087FE6F56FF6B6B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:11.537{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53750- 354300x80000000000000002269925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:10.959{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60279-false10.0.1.12-8000- 10341000x80000000000000002269924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:15.005{5ABCFE62-2EB6-6041-B856-00000000AD01}39164324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.583{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A59A0A7E5F1B1F8860B64128BBEBD87,SHA256=1D357576BC74DDF2725B7D7A659275F263F84AFB63FE30F5DE5137000C905E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.536{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAA1736CC84EC97C7AE46B9AF90E388,SHA256=851F1F948D67B45EBCEF27B132CD4D3D2BF13CDCCC9C6A1FDED60E7E083884FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.349{5ABCFE62-2EB8-6041-BA56-00000000AD01}57366828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EB8-6041-BA56-00000000AD01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8525944C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EB8-6041-BA56-00000000AD01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002269939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EB8-6041-BA56-00000000AD01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002269938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.224{5ABCFE62-2EB8-6041-BA56-00000000AD01}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002269950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:17.552{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4569D2B6DA04CE6A15E1E4895755664,SHA256=7978DCF26817543160D0B95D018E61A0B3FF9AC840E0737B0703F57F64F19A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:12.536{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53750- 23542300x80000000000000002269951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:18.583{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63564654295CCC68DF22710BF1EF4104,SHA256=D5ADE87DF811B87198C83B29C8C040453C9481FCC834191548440288BCD50ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:19.630{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182AC69306C99C21A1A5C12240E688FC,SHA256=D672D6B953056A49A3EB61B52A669889E88E18AE8C0BA32C9FD2A7FE028523DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:20.645{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B486B23D3114862FC629B6AAF9C7A65,SHA256=E7F4F497C5D56C79C81B79C7A7F6B894D8074CE6513C73B4D4E7404B0819647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:20.052{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D3827C3A60369E994BCAFC07FF4B0CC,SHA256=49B9E5932E1DE87D6A5933E8637AC5FCE81C3DC40966416844DFC28FA81583D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:21.661{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70560E7C03B6BEB0BFA3C99D950AC658,SHA256=BB7724C47EEFA1625C835C335B07E42F178227C61262697A4AB5BC8A04D6786F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:16.787{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60280-false10.0.1.12-8000- 23542300x80000000000000002269958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:22.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E400561CDA1AA02DD38820040C26872D,SHA256=CAF6102ABD8E6BD18CBEAC7F1A9410F6772559F125502E63BE1C37C56404F334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:22.645{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2A5F7F68800C22FAD9E82442164C0DC,SHA256=A3622E724F847CC0D2CD9F2E530D599EB4D537C130639F70D23864F3956144A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:23.692{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39396DAACE6F8E1497F4979A82435161,SHA256=1EE6AD07688518391815A570935B573DAC0B2D1F7C6F78A5F20A7EE04E0893EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:23.052{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96663EA6C22D3765F951B445FCAE4C26,SHA256=9F2DB0FF036F130A5C1B9819D5631D251B79ABEE8695700C63A0EC3D7F2E200E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:24.817{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF10E65EB6913E4004411D7144E05D97,SHA256=7751DA51936C3FFE828CA5665BF6F9F04A5E974F6160387DA109E6F56EE44D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:24.817{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77FFBD9679360299B67AB0C3ED1E609,SHA256=9FC0286CF0138C24148528048251565F05D095ECED62A1E3402F4B9DC4ADC613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:25.817{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8141DFBFD2B164F51356414310534FC8,SHA256=10045582EF8144C746D366CF54EFBFF6738EDC43DF42E70C6021B6B62663CC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:25.817{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C530092A480844DBC063B7BA70D70E51,SHA256=04F9BEC1C6A0DB3914D8A99BF2A6E0A5098E547E7F56D363ACFA611C0F73BB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:26.817{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A627C5B81348BCDDC6E07B5240BCB2A1,SHA256=DDE8541791CA1F43F7AF5B610540B0F20255243885C17ABF49759739B9F06DF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:21.849{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60281-false10.0.1.12-8000- 23542300x80000000000000002269967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:27.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B322BB6D307F79C2CEEA8FE2C08FF47A,SHA256=31E13CF596D598604E46C7199346C48E27361330AB6CCC3182B322480A8E1F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:28.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DAADF0E3B2F8EAFAA408DFB17FC353E,SHA256=A75241E2FB3BFCEF0ED0164E5F910C12F60552D6A690962AFBC650EEF0258C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:28.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481F0012E453A8744CCBA95E4E231B38,SHA256=6716BDCA18794438C863026043A4B275765550C38EDC031564851479440F1C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:29.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4819FFEC0100BFAEDAB53CE2322AAB0D,SHA256=D17E0CA7B70DE864437B782B7E9BC04D509430F3873957E6335A43EDC6FEB775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:30.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5D763C8FA45A688BCEC29686E0B2D4,SHA256=9B4AC034AB709BB438007D4D7F411A2999F830DB9EB1041B862C66C97DE3FBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:31.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF49AC83985A090AB931E367CDEEE24E,SHA256=88891CE2CD90C0D1B7510DC6A9CE161E1E44DBA34F576D592DF5EC10ED6FDF84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:27.849{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60282-false10.0.1.12-8000- 23542300x80000000000000002269972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:31.114{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6329C4B71CF3161BE0BBF2B5019FF3,SHA256=61D6C933179D9F5B2B1C6F7FCD5071933815E882F4234E254782A6F287265728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:32.864{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77FB3B8547CCEC3D473BAC7074982175,SHA256=02CF2C5552D0C3DC0DBD76EF1784C98F2F71C103CA04F8C6CB1DD3BFD948539B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:32.864{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B551F1A6EF76B28904DD4985472F02,SHA256=0F55956058B36C9CD926E64EBBB3C7907BEBCD1C8058CB456BFB70760A2E0E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:33.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F76B60319AC5D51790D9B7AB7DDF2E2,SHA256=121477932821D6D0679E98664B50CE116F3A70AD19A5C86B8A95C37B8EFA1989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:34.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D53696D2FCBB4EC8BA8D83482F278F,SHA256=56C0D13C09A84755BB531F5ADFF8A259883A0DA5A33AD56162BB5094A261FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:35.895{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195146416569369FD1229139D058077C,SHA256=8C7C4E60C42DBD681A8B2CAD2A4BB35FF70564ECC55700053D71B2945C581FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002269981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:35.724{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:35.724{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002269979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:35.724{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002269984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:36.911{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159D109BE3EB40B7B5962D6D7A2D427D,SHA256=B93890D26D60ABC3C77A7A8590C665F505FC2E0E3FB6BC81F4FF6857187D1FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:36.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A5D592F58EDFF268264715886551F8,SHA256=4D502D29B65118FC3CDA542B00ABC6C126F8B3060C9605FC1059BD63416F05A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:37.927{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F76BC09848E0DAF8E1ED4D690F175B3,SHA256=3672F24272E1D066A9E068CB8BA12E881CF078A4A6A473716779AD89CF9A0590,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:32.865{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60283-false10.0.1.12-8000- 23542300x80000000000000002269987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:38.942{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417ECF2028E153E9D339164303833F71,SHA256=5C5E9095C359B4D494D85B9DB60B964ABCEDDAFCCAA094BFC333F42044FFC252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:39.942{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE2F6F97F37241E2F4FF5A5C452A37D,SHA256=BB4D0E1E432764165FD706C9BD083B241C6B131D5FFC4F9832E4832392DAE564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:40.958{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E47439DE2BC1664454F1DD40D0D3135,SHA256=9FD95FEB5143BBBB8C613C06FFF69B81DAFE463081EAF20CC00D5FD93E7C8A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:40.786{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD1597772415D87F2AC352310F2AC141,SHA256=C415D83BED8E95C2A442FB49E1AC11B0160E624E7BC07D0557BAC6D39C801051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:41.958{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032FB9A8BBC0A018D64981BAE81F27C,SHA256=EC2DE323BBC21CDC56DA002C5609DBA2CB13A9F355F02B5230D8AEC7AC8E0EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002269991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:37.912{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60285-false10.0.1.12-8000- 23542300x80000000000000002269993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:42.974{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB7F0557B961123D4E72B96A3B1A218,SHA256=27573D3BDC9920FAC2E4E6C285F7BA8747CA05825ECEE9AE88AF8EA441D79202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:43.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C9475AD78B5A067B109A151E1EB3E1,SHA256=234447E6C90BA06B78EE09960718EFF58BCF4B4F35E7F2CFCB0BAD1CA2BBA078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:44.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAF75399B15C2DFDBCDEA1730515186,SHA256=3677B5D46CA67BF49976CF2615D3BCABF5E5156B024B06359A515802C585BDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:45.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85802750FD2851DCB6F5E4E2A9B7519B,SHA256=5C97C1E13117BFA026E4093945247AE6DDAF84FA6D00EA0133674EBFE5A85B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:45.349{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EB3B28272D3833C23AE930277C84D2A,SHA256=A7775C2110C53A17B6CDD6E85F2275C81B372750AD95608BD16C6AC921AD7235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002269998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:46.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41117292A7DEBFC974C88A9B400CE9A8,SHA256=9B238658D29F923877133E08AAC293A679044F60345ADFA6A5DF3188D18080DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:42.959{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60286-false10.0.1.12-8000- 23542300x80000000000000002269999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:47.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E1E9EE456C89A739DE7C29677077E3,SHA256=E7B45A5946DF3ECFADF70093872AA4DEC2795B0D9E6C0D734F0AB16F7B4BA9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:48.021{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60008DF3C50C03D3277E32BD8C9604D3,SHA256=EE62220784A7BC0C4AB08AE716F27B99F765BF4F050776F7C8F8D7C781D92372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:49.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1624987974DCD2C7C4CFFFD174325424,SHA256=C2D0B19D6D0AED0E53D2E2B77A55003D754ABB2B43557C23CFD462D4BBEA08B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:49.036{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B44EE3EF87D3A69885712BE75B8AD4,SHA256=588F5576F99A9C0AE98F46757D574007E89777ED86FD1C8131B95CE83482014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:50.036{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC928599B2C24FBF08B49FDCCE6D8B8,SHA256=6976503454F410B4AECC129A8AB9E96A14CA56DC8B8B4BA117D690AD62978A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:51.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=585B063462F6231F936860045A33537C,SHA256=43D1C6DC32540C6F1B9952BBB51A40D77ADA2FAE7D84730F0856BB3A0546BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:51.052{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADAF946D2EB85E0B4F9C2D7D5E9D7D,SHA256=9E05CC4D45B9F27BE3747AC3AA51EC643D262C3A1EB5AEFD735B2116F626F8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:47.959{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60287-false10.0.1.12-8000- 23542300x80000000000000002270007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:52.067{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D262C32D2F8E18B55333DE1378A63B,SHA256=7B2DB6A339EAD76F786A4956F072A3C10B8312B809EAAC80C9EC8E3333D70F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:53.396{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F849B5AA774DDE97CE54401C6BEF7927,SHA256=7772DA43449F69F0C96651ABEEE33B908BB855A8D020D0738E6D5E0EE884D3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:53.067{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACF2525EE2FF109CF8A76B78EB05C73,SHA256=4187392A7229B261C49C9D0DA7FA6D30C52B553388141989DA9EAA5FC25E7D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:54.083{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1560983A0729D189FF032A0FF772FB38,SHA256=61F70C79067E7B5E3E4AE1ADE5483FEE82FA7169E9C2B48C5367D6DFFEDC5D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:55.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C0F3C67D2D42F4C80BEDD43ED00EE6,SHA256=BFFCD934495C8E62C422920F57D8F909586885667155D63F7242D5749F8500A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:56.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B4C7CA68ED85423A6936A43A42C1C82,SHA256=71343C5050AABE61BEDE8E5D79F5FDEB948D88AAACCF1661AB61B78725CDE6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:56.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5757149F09D34A82BCF94557CD0A73,SHA256=F11BB93D72D0268BEA7659C56554BA7C9EF7A331A69049F6D87286A112EE7205,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:53.005{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60288-false10.0.1.12-8000- 23542300x80000000000000002270015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:57.114{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC15647E5B7FD31D013FF7DB48D59B4,SHA256=97A3CDD3D16AB32F1E667559C20001D5DF60B70BDE3EA3C4B4C09D27F30E8910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83557C68DA8049FFF5AA31B8D3B73137,SHA256=4551F06A45931DCD08322D89B62DBA9ACDDB550CA4D42F48AF08ADFBAA7CE047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.583{5ABCFE62-2EE2-6041-BB56-00000000AD01}22802784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EE2-6041-BB56-00000000AD01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2EE2-6041-BB56-00000000AD01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.442{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EE2-6041-BB56-00000000AD01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.443{5ABCFE62-2EE2-6041-BB56-00000000AD01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ACA8AAC6DD64E1E5AAE3ADC8707931,SHA256=D1859C6F5B5E4B97561654110D91BB16F78CBBB0E91FC59877C8942B6E712660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EE3-6041-BD56-00000000AD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EE3-6041-BD56-00000000AD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.786{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EE3-6041-BD56-00000000AD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.787{5ABCFE62-2EE3-6041-BD56-00000000AD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002270038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:55.428{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60289-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002270037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:55.428{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60289-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002270036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A3D4D69F43EBCE4AF05C1CDABDCED4,SHA256=57CB104227F36CCC6DAA855FBEBEF90A73B82042E83FE90F5B28EF2F2C6399F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EE3-6041-BC56-00000000AD01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2EE3-6041-BC56-00000000AD01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.114{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EE3-6041-BC56-00000000AD01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:59.115{5ABCFE62-2EE3-6041-BC56-00000000AD01}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:00.146{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC4E6D53D0E084A2623C843A2F6E879,SHA256=B95BE0CBD5FA39FAEDB86D573E2C3B3229C40737EA062CE81E3FA84EE4310DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:00.114{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D32F8D9FDFF16F10D8EFC03F791F603,SHA256=801262BCEB6CCE7879ECC13DBF113B780F0D918882DECDCA79C0A2563C6EEB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:00.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=55C2888A942EF1C8ECE26A9DBD960C2E,SHA256=A64128A178E15606867FA86471F5DCE89CC1D29253DB65DFE4E067F91D672C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:00.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D507098A4383F919DBF823398C57BBB0,SHA256=3E52F19B7C98A97074819DD9E61CAA8D349FF57C55053FE13AEA49ABC5813CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:01.147{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E83AAF67E6E7D1464E70DBC254BD01E,SHA256=33D34077D447CC67830AB1287CEBE0CB5CB85E1B676F91285187D382E7DB0627,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:02:58.819{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60290-false10.0.1.12-8000- 23542300x80000000000000002270053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:02.162{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7B8733B49695D8CAA303C8791CBB3D,SHA256=B282920821DB35C3E6E7DD5026EFC54F855E72388440B5C6F16159418617E0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:02.115{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2FB2AB4B999166B13296D63FE024B7C,SHA256=0E006329E5B7377BEA7E73305056AA94521EF072737AAAFDD238FDDDAD168152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:03.174{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6F839C763657F0F903BF98DA1DA50B,SHA256=4CAAF96E8016B2837D0DA2DFD76C24157D55A9B98EAC385114C9E2C701B4C563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:04.174{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5023C740B4381573BA229B524F3945,SHA256=DDEB51E0DE3FF41DF0B0A4CF42E1B48D57CEA8133874EC4D85D734C8DC0E0E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:05.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6586D25EB581834DCC907CCFC2E1AC,SHA256=681A9BB99A78AC1CE4B551CB5BB7BFB9D3B1D8B768F7B89F2252B942F5F3CA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:06.193{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CE8B10C2F770D47E33C24396FA0F3B,SHA256=46935188230543A25F34173AE382DFA2FAA7F1AEA2FE907552E109106CA7434E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:03.818{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55702- 23542300x80000000000000002270060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:07.209{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12766C8BF827602282935EE937482925,SHA256=0F2B39F3BB909E27FD4D66976E52EBB9DBAAF46148537B38B732693507C6CA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:07.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A8C9899F53A307EA9B530E314E94DBA,SHA256=3647DE6BF786273BBE5797A7D252B6B03AEF314B8A0E615084D6C7D6AEA4541D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:04.818{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55702- 354300x80000000000000002270063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:03.850{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60291-false10.0.1.12-8000- 23542300x80000000000000002270062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:08.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E510117E33B52A738239290A9C22D4BD,SHA256=0B4A4232388F841E74562DDF1FB7B3EA1DBBF42FEDB349E9888A9A980F2EA03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:09.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF55CE2F45823FF2DD19E356F10946E,SHA256=149BF0775A7CE73078D0BE99A7E893E898AE6B528826BDEA215A6F5CA4E1D91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:10.256{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C19BA2D45F9F0EBB8F99FFF7B6611A3,SHA256=4CE41F336AAB2A2CC43B447202DC8021E6522E2A9418AA9EDA3A4FD9513726D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:11.568{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:11.271{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053C58D243EB51C15B8BA042855C84B,SHA256=FBED4ED5191FAD89B90E410263202336E6A311D4712196F47569A65EB0A35E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:11.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1CE54F60CC8097C5C5DF04934AB468B,SHA256=24FB90066FACBB9BF33A402540007181484B8646E4384BD823E518AF406DE562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:12.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C3493302EB45672BB217ACDAEC6D3C,SHA256=4BF06D0AE33275DB89ACA1AA3BE3DE18A612CE50587C00A8C4430E2275239FFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:08.865{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60292-false10.0.1.12-8000- 23542300x80000000000000002270070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:12.287{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED96AC6089937A3AE5950622B07FB2,SHA256=B8ED0AC6734442CD5ED606BC032CC51F3A899831843F4C4E3F88AD1104211B4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:09.303{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60293-false10.0.1.12-8089- 23542300x80000000000000002270073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:13.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B68244F1DA7229994AA462AD8C2AB09,SHA256=0F8D2297F8F58247D5A2763DC8767C39075410320D25CCBBB8784364B1B54145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EF2-6041-BF56-00000000AD01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EF2-6041-BF56-00000000AD01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EF2-6041-BF56-00000000AD01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.881{5ABCFE62-2EF2-6041-BF56-00000000AD01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002270084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.334{5ABCFE62-2EF2-6041-BE56-00000000AD01}69926296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002270083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34444498F9796F0BD785CC6959D0758,SHA256=F05F430B122159FDCDB34567CF2720AF7EE2AC20B385D76862D52D9FBD3773C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EF2-6041-BE56-00000000AD01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EF2-6041-BE56-00000000AD01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EF2-6041-BE56-00000000AD01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:14.209{5ABCFE62-2EF2-6041-BE56-00000000AD01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002270140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.599{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EF3-6041-C056-00000000AD01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2EF3-6041-C056-00000000AD01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.552{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EF3-6041-C056-00000000AD01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.553{5ABCFE62-2EF3-6041-C056-00000000AD01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.318{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB59B7B971A35B1962DA097BF521CA52,SHA256=13CBB698DE1012052C79C01EA565BE2EE79AF020FD943ABCF5BD4FD39A35FEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F30CB31B169B274877001D9A3BD4576,SHA256=30C10E986E10E683D8B5C94F87FBF333630AE6A7B06D9E08626F65B367666919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:15.021{5ABCFE62-2EF2-6041-BF56-00000000AD01}54124680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002270152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7197C0C64B3115774B3F4C42D02E37C1,SHA256=A0486D3222E630BE9C7A2F7F6878C4D4A1429D209A425BB123EA80E3E4517A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FDFC7DCDCF16A9F8EC2BE1137B8D7B,SHA256=A90381C703B6485C0DC785FA425BABC5538129417DADBF776CD89215DCF46968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F14EEF63F8629EB887D6E6CEFF0760BB,SHA256=4774D9137B24A467908E6F413D29E3E42B7B637E77916C71A3096D1FFDA63D66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.349{5ABCFE62-2EF4-6041-C156-00000000AD01}15886868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2EF4-6041-C156-00000000AD01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2EF4-6041-C156-00000000AD01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.224{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2EF4-6041-C156-00000000AD01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:16.225{5ABCFE62-2EF4-6041-C156-00000000AD01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002270154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:13.928{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60294-false10.0.1.12-8000- 23542300x80000000000000002270153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:17.365{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401C6AFC9D6D8F7CCE0EAC0958A50FD,SHA256=3A64A3185E98B65AAC9CFE0B1977AEF4985C222E32B766D6AF338CDD77BB97A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:18.412{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDEE4AEF5C8B4073D4F2D1A43D55980,SHA256=CE306EF7009260662938C02121232967283370CA6487D4D4B83E5DDE41F13076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:19.474{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6E3EABA143E5DEA1E1639F273593FD,SHA256=52E60B97A6FDEA9AC7BE6B8B51DC90055A268F7B8DF6E034A161CB9341E46BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:20.490{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9393C9C0C24D234081EBDE3BC524DB,SHA256=3730ACB673240C3B1FB349616BC1F8C8FA67FD89A3ED46454358BE9B9C0B6CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:21.506{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26476522D68109CDBF6BEF543BFDAA9,SHA256=7BFA5302D8ACF028331EEDB70F89F4478D3D6FB2082108E2718DD7F792EA4B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:22.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1574FBC59B44E7EB9280738006F4045A,SHA256=239EFB98812562EF9DBA0EBA789BB50F0456A4813AE6E149F1E146E1022622D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:19.943{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60295-false10.0.1.12-8000- 23542300x80000000000000002270163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:23.552{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362F8BDA57F5E5A73AF6BE6DBD43DB12,SHA256=4B9D37D157FD9B8228A8E323D62B285ADB388327DA480092DF7559A44E60F8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:23.365{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4603B18466C269FE4E8D00CA2C27A908,SHA256=E945BD9F16DA434A259AFB819C3B6F954C07E963D61BB05087F68244E8954D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:23.365{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16566FA802C25A08EEF503DCEEFC99D2,SHA256=052D8C3C74CBA9730293B541B6AE64607772C0AD90B9900BE74FF1AC34DE6E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:23.052{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=969867EF59F11491DC068A55A4424A4E,SHA256=E6ECD46B36422BFCDD30D98F50656047B96CA1ED0DCC31446FF98194D677A434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:24.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80488137CBD095272119A5AFAB5245A,SHA256=5FC47C20142010138393849E3A7C084CAE75C21088ACE44D2633812DE52EB37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:25.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBAEE372CC207B3769532824623DE7F,SHA256=0309F7AD602E0FDBA6C9CBA341EDF8E006168D64552435FE02A3DCEE8E82A8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:26.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882A9EF233AFF497730DF737B486E13A,SHA256=852E762DC86A2409371C3F8546158BDF9C73F401F20F10CBDED10324E42479A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:27.631{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF68969E1CABDF6F6559B3630993207,SHA256=623BD1931569311B1058B3AAA0EA6D52CE413D54FF5D631BA52CA9EE61BCAB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:28.631{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B9DDF72BB6AF1D6C05125EFEA047E,SHA256=0EC17AB9A11D22D9B7A37BB878812BEA62371DC7ED1C72B7D8E8F2CE0F38B3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:28.318{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4603B18466C269FE4E8D00CA2C27A908,SHA256=E945BD9F16DA434A259AFB819C3B6F954C07E963D61BB05087F68244E8954D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:29.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45508AC6CB4A4BC2BC97F870018589C9,SHA256=F5171BBE67358C10F942CE2C5133DA53A4D3644AC93F13CD412D4FA952D80458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:29.631{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2513FAF287D23B5C65B4F945DB0D363B,SHA256=50C03F25FB431DA9D6B3F59746B04891504247F00C85195F6B624A76E0FCD331,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:25.584{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63331- 354300x80000000000000002270171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:24.943{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60296-false10.0.1.12-8000- 23542300x80000000000000002270176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:30.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D7610005E220E4FD6AF1FC2B6792F5,SHA256=7842774345450515AB1BB99E45777EF58FC99C848E4596EF98FAE9B7E8C8A8F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:26.599{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63331- 23542300x80000000000000002270177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:31.662{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A077E064288FAD8451BCDD7601019FD,SHA256=404F548AC2504C18DC79A598B8AC73A7B633EB821161180F70EC881EEC67BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:32.865{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA5435FD529817F4C1D72CD29F14B6,SHA256=CE469EE30978614BB1C623F68F19438F08FB93320B6D52F78D4867387D58CB17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:33.943{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF52661360D1BF9EB36B3370C0C082A8,SHA256=D0782DDAF13B6FAE628F57B357E5807B6D167C32B99D1CAE9BCE2A4BBDFB4155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:33.256{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227200F9E7CC3AA3F78B673DF042FF55,SHA256=33C353E3C673A4745A90CF9CEB58F0AC72D6DCE02FC1820A3D810CBFDEA945DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:34.959{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC1A3D3B1A8DE2857456EC84F43F392,SHA256=E7B6723A3510B8FB151EF3B09362BDC0C6FB926E01D53DE7CAD9AF7BA1804077,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:29.990{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60297-false10.0.1.12-8000- 23542300x80000000000000002270183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:35.959{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9620FBA8D4D6C3A7F1D00EB8FEC27A,SHA256=695396D0E79F9BE4F381BC80AA09052835982125B225B1AE630612B7ED8F298A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:36.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12EEA48EC3B3BCF837054A89E7728ED4,SHA256=AC532AB04C5E9D7D36A6D5272A10E9C5C13950A206098FAC4E9451E905464AE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:33.615{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-228.attackrange.local50492-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 23542300x80000000000000002270185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:37.006{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC5675A997557AC971F447FAE91EED5,SHA256=781977CA107D8CE7B7BBFDE53508827F8C6CFAEF2A3BD2DD92B82B5E7BDBFA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:38.021{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0991D8A5085BD6085D1EFC22C78A9E05,SHA256=CF8B6496E6708F634C81DAED49F59A1ED57C0DB89B1198125640AFEC32DBC730,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:35.803{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60298-false10.0.1.12-8000- 23542300x80000000000000002270189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:39.287{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=248A2A29E154A5D494A71AD9F196D0E9,SHA256=99019BA93EE9C56905F2D01457EB2964A272B70060713482AF785350E6BCA03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:39.068{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEEA7A38034C2CC20F6DFDECAD0A9AB,SHA256=4176C9C246CD9152F7A5DEDFA2E4E4B6ECC51DE0B1B255D78DC663B2B705F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:40.084{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8937AD0D67F7C1E89B1DFC2BB5DF9479,SHA256=BEE7E2821A089BCB410346BF2F6FEC03937BFD12F4633880D3DCF691D559ABDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:41.834{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AF324311FC371B535EDF26E5E2A449,SHA256=FAA32F82A45A8140B2EFAEC97E8F55030C808DE2ECEAB8501B9F21882DF221F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:41.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284B30447A4CAD14E4BFC2E3BA8FFEC0,SHA256=6040AE020B7B84D3E9FDE06D1A46548139B8EA8DAE17E38961D8BCBF24A39BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:42.115{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596AE7DB64D08E48EC50E608A7B376E1,SHA256=FCF445B338ADC6E34C9C68C3D389EC754AC37AC1D21AF4B4D2071E77D8C6F54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:43.115{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F3F0F32F9FED7E7C62014F84C67AC7,SHA256=400521CE98F83F3D6F224518C9BC8046B1A588445D0C6C36E19FF5DFD62AA8D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:40.834{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60300-false10.0.1.12-8000- 23542300x80000000000000002270197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:44.115{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B91E3886280A373996D56E4F978C89B,SHA256=4884E40AC7E8632CFD12EE4D616431BF5B387E1C77E28732BD32BB428BE6998E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:44.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C55DD0CD9DE16A7A961EB4FC0C8895B9,SHA256=B72451F09BC8027FDD39B784B575325260B0077AB9B76BEB9E1C24CA399A3A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:45.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503F6DF3E970BAE7E4A548C9068ABFE3,SHA256=E5C564DA53CC329A405C3290A63948B4349706BCF0D6F7E11E60EE0B9BE15349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:46.162{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D44D333CCA8EB0BC2D28E5D88E3578A,SHA256=44964FC1D69D6A1198C77AC25DE4A7827EB0453931095A67900B47699295B84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:47.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0B9967A31E6E5DE4BF764E065D220C2,SHA256=42AEBA1CC8AA5B43F13F8460D080D3387B9FDEFCD3113590467E0BF5C4DD5876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:47.162{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4A77215339ABC0482A28553A8BA4B6,SHA256=1C3895F1D2E8287609D618DDF544D7AC98EC755B64F7E70785C5B42A5B9709AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:44.539{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60301-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002270204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:44.539{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60301-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002270203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:48.178{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F183896DC058804BDAFCD5109C04E227,SHA256=65EFD60EFD6F6221FB54D972FD65063D4306445E6BC04636E1D63896D7845E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:49.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B3443CCC1AA3D0AF145FCC3506EDAE,SHA256=D698215634C9241509BA7CD445067287FCBB6F976D3D58C83D9E142AB8A7CD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:49.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A3186B58341127AD6C737940920E12,SHA256=C677259ADECD002E457A160359CB733BC2DCE197FBDA75BE6E811E95DF1F1DE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:45.834{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60302-false10.0.1.12-8000- 23542300x80000000000000002270209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:50.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C857A16BDE1F3C277A44E84B67EEF86E,SHA256=EC0B2843F8002AA1C12257E3CF3DD1D835D63DF7825385E9A08BB570DAE3AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:50.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D43CFFD803E0E39FD8AB7ECCD541213,SHA256=41EBF479AA2C34359727A9A6AC93D9D5B71B7D226F80DFB685DADDC8D8AB5630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:47.334{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63764- 23542300x80000000000000002270212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:51.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A88D9695832262A53F2B61E9FFB05E95,SHA256=2BBA79C203CC5E86C61E88DE61D88F5AAACF35D8FC490EE6F8C82E09FA74795A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:51.256{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2359E26E8BCA521FD02B9796DF77CA67,SHA256=61A1ECEC5E8764687A88A0A0A417F09CE0B0E91F8362F2989845EACF7D761C03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:48.349{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63764- 23542300x80000000000000002270214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:52.271{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D58CD5D1B5A47822F97ECAFF27892C,SHA256=30254D81185BBAC860BF71F709D49574107F447748A744078307BF16AF81C21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:53.303{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B92A1B3827A8EC51B49E04F62EC8146,SHA256=2FA71FB41B9CDC21F39A6BCA17EF2EB4993035B028E8F4504B1C8745B09A7CAF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002270222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:03:54.881{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002270221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:03:54.881{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002270220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:03:54.881{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 354300x80000000000000002270219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:50.881{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60303-false10.0.1.12-8000- 23542300x80000000000000002270218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:54.303{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A600B9596C90371C5B337D4E7897D27,SHA256=4310B951BEB588F9CEE29AFDFC1744A0B6F2A4A48FA60065F7211BF65B8A688A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:54.209{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C9047357F874CE36A0C0D4E6DF7D06,SHA256=83D7F9D037CD958A81A73B385305C1A2ECD5E0B577CF20C5964525FE0F8744C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:55.912{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=880DF5DE6B2B1E43716C1CFB8AF2F1E4,SHA256=70854B309309FCC76B52CBCAFD89DC07AFDE5682EA430B3330DCE2EC0552A308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:55.318{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191469915CF4525E6A59918F9781EDB2,SHA256=6992698F302F34703B240098BF17BB6672F93DE47A2E84D7C9A02859E12D7E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:52.649{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60305-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002270228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:52.649{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60305-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002270227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:52.643{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60304-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002270226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:52.643{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60304-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002270225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:56.318{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F114D36C7574FED6FE8C77AC2D2776,SHA256=7E4520639362B232F8603422882AFB024CDB3D05B24DAF937564994327D70E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:57.350{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25968D9ED1886AC29C6383D9CA71261,SHA256=141F98ED52F8A752810D1CD27FDC806D7F8A6E25AF60B9BF3A7693097ABEC4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22343BD02DB74B51B03DE711190D8AAB,SHA256=E64670C842EE73E44AA2F95E78A76457EBDC28498591C2BDA4ECCDE0CEEAC89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F1E-6041-C256-00000000AD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2F1E-6041-C256-00000000AD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.443{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F1E-6041-C256-00000000AD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.444{5ABCFE62-2F1E-6041-C256-00000000AD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:58.365{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE42FCA626382DE470C8C7D512C50715,SHA256=05B89AAAF25662D6815E791BC6122231CE87712FD814D2BC159D7AB14DF6C769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.912{5ABCFE62-2F1F-6041-C456-00000000AD01}61042140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F1F-6041-C456-00000000AD01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-2F1F-6041-C456-00000000AD01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.787{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F1F-6041-C456-00000000AD01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.788{5ABCFE62-2F1F-6041-C456-00000000AD01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204BF2270934D333F4FC885D91482B5D,SHA256=95321C9C05926F005FB23198AEFC7E9054E842799B7002A3A752914C50A836B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F1F-6041-C356-00000000AD01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2F1F-6041-C356-00000000AD01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.115{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F1F-6041-C356-00000000AD01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.116{5ABCFE62-2F1F-6041-C356-00000000AD01}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002270263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:55.912{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60307-false10.0.1.12-8000- 354300x80000000000000002270262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:55.444{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60306-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002270261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:55.444{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60306-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002270260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:00.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24F028453FD75FA63F032839A3D92BA,SHA256=2A1505AE39281BFF49C83C0B626D5E2685FF7DAA015579854EFA922E3768B327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:00.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEB807F06A5249FD323A19F56677E64,SHA256=78906F6F3A5F42C9BDCB69CA720DAB53B645C740B2D6CF7912F97C7757B1C048,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002270265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 19:04:01.943{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d71129-0x239b6b72) 23542300x80000000000000002270264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:01.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF9F4388853EA861A00F346AA067524,SHA256=87C5D1B175E797F39BA54E516AFD70EF061611BC99ADA6B9FE3D836FE1D654F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:03:59.412{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64219- 23542300x80000000000000002270267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:02.726{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE22240EE5F36C213B2F85FF642B4ED4,SHA256=8788DE8BE7649A5F1F8DA185E6F844EF70F6168DE31A4285FF8642A841F2D13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:02.475{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC31DF2F95DF9208FD944C348A2B259,SHA256=8DEEDE58E52C651FF6A0AC9AB8E21A4CDCFE65198F8BD978AFE95F56C3FB51CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:03.476{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F99E06966434792FBEA635A2B19405,SHA256=00D003AD4DB36DB0C3DD5B3D6F460C4C0DB0AAA44D2F6B8F90B7B1B19222B0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:00.960{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60308-false10.0.1.12-8000- 354300x80000000000000002270272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:00.413{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64219- 23542300x80000000000000002270271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:04.507{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0555F35869C685DD24CAB9E74CBAD6A,SHA256=DA6AB503581B14318856E1327DCCE5CDD1AC1A267C3C4AB311324D32444B0DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:04.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2C98192C759F9C5B3A062872D7230AB,SHA256=F351D020366012134501D5B40A9EB7126C830188F95A779C472587E5D71121EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:05.520{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15616E4ADD7038CB2EF9783D610DF9C5,SHA256=55A5392644E284ACF26D18E31E53235721932EAF6FBFE5CA4140104B630B4DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:06.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B4AE6C9839154FAD9346B48499C9FC,SHA256=5C4BA35D81F54BDF398367D60B0D812FABD60270E553546F149BC514013A9CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:07.538{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF96DC5BB97547A7ABB4CCA96A481BB,SHA256=9201B9DFD65F9363A431E6FEAD24675B3E2D9D3105C9AAD3D2D736270DBD4800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.538{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB25F53570A5797B50BDFE1A151E69AE,SHA256=420234AC79E61F831C62F82871AD00247CCE47BDBCC66AF4DA86FAE8B1E5D074,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:05.976{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60309-false10.0.1.12-8000- 23542300x80000000000000002270279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:09.585{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339809A8317B1F42CC5F45FCED27C622,SHA256=EE9F9779016F307841F258EC5A2FC6C9EA475CB01DA2E600961415B6BF938E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:09.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E33B991D2819B6F3E5F7E08828D85352,SHA256=CEC98D31BC09B44CDEFAFC06D776C712A4E4D6739689E1DB5037687551058079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:10.960{5ABCFE62-842D-603E-0B00-00000000AD01}6326192C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002270282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:10.710{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8DFFFE533E5FBA7F369A5D6947773A,SHA256=8DE646AB17F9026FD948A88F09FEC1EAD58D087F2A00114F826D5DF2A63B2B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:10.601{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D80D14AEE11F9E47D1DB981D3C47104,SHA256=E791B2EB43036BB9814FD2EB2CAEC45932056E18DC38E27AF424FCD797BA904B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.610{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local60313-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002270293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.610{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60313-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002270292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.604{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60312-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002270291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.604{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60312-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002270290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.603{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60311-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002270289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.603{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60311-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002270288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.602{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60310-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002270287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.602{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60310-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002270286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:11.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEB2DF496596AAB24C688FD8E6512E63,SHA256=E80F0EC362B53011AC6A3697389B928D16F28BE55E1D59599B9FA33C789D316A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:11.601{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AB7D2B18E689986589EA78866B9235,SHA256=F56491EBE6AD4ACECF5B7A76489D26AB33B11FD9B7801D46551979B8A9663212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:11.585{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:12.648{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A366FA30AD6566ABD847EBF7E6C63E66,SHA256=A42CDA9D274A552449A81AE63FB7AA2525D18824D279938A4F68BCAF21F8BEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:13.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC82BBF1B11704EC097931DFD6B355E5,SHA256=57D9BF49A8702CCA1E9C6C00F5422D76B614E7010718604C7A31687C07C7B32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:13.648{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9287023388984F4F67173381F85CD8,SHA256=521968FDC0015FCA3D09DAE264485C83FE3A89731358C810E27F9F78A4BF5F52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F2E-6041-C656-00000000AD01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2F2E-6041-C656-00000000AD01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.820{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F2E-6041-C656-00000000AD01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.821{5ABCFE62-2F2E-6041-C656-00000000AD01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6394500F38F2CA96C2CF083AF233C212,SHA256=68C56BA087F79A2EB042E5B795EE78436E1B8C7656EAC001C756C7515E07D815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.351{5ABCFE62-2F2E-6041-C556-00000000AD01}64083876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F2E-6041-C556-00000000AD01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2F2E-6041-C556-00000000AD01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.210{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F2E-6041-C556-00000000AD01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:14.211{5ABCFE62-2F2E-6041-C556-00000000AD01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002270305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:09.413{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61919- 354300x80000000000000002270304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:09.320{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60317-false10.0.1.12-8089- 354300x80000000000000002270303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.717{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60316-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002270302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.717{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60316-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002270301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.714{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60315-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002270300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.714{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60315-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002270299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.713{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60314-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002270298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:08.713{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60314-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002270336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.710{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8198B06E44BB7099A5F0C2C6DD240AB5,SHA256=4316CE4D8D9728DF2B5210BD7CB40B5612A6EA8DF3880E430E4EB5896494AAE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.570{5ABCFE62-2F2F-6041-C756-00000000AD01}51046968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F2F-6041-C756-00000000AD01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-2F2F-6041-C756-00000000AD01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F2F-6041-C756-00000000AD01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.445{5ABCFE62-2F2F-6041-C756-00000000AD01}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:15.226{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3502A0D3253D2E78D64DA6FE492ED93C,SHA256=48692BBD4B24EBCBF75D7647E0C391BC95E6522B608D6A873F66DF9419663DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:11.007{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60318-false10.0.1.12-8000- 354300x80000000000000002270324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:10.413{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61919- 23542300x80000000000000002270347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.710{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E050F937CC6398286E27617F1014C922,SHA256=584210B924D6F68C86104FB16E6C4E97D4BF4ED14BA10C6BAF7DEB0E05E77F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.445{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABA0A0306DD27D7F6134BCE79892AB4F,SHA256=9B6E7FDAB0367E93C0FF3073C8CFD7ED6EF80E2DE5EB8F54B23FAB70D4308911,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002270345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.242{5ABCFE62-2F30-6041-C856-00000000AD01}70963792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-2F30-6041-C856-00000000AD01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-842F-603E-0C00-00000000AD01}8521032C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002270339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-2F30-6041-C856-00000000AD01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002270338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-2F30-6041-C856-00000000AD01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002270337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.117{5ABCFE62-2F30-6041-C856-00000000AD01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002270348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:17.742{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD024DC1380FEDC20F58A6024C84429,SHA256=9179075E1C12A6083DCBAF9F2F1F9ACA3BCEF34833321E5E1726D6E3A105E99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:18.757{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2082F659285D8F0FCB95DA9A2B169439,SHA256=5BBDDB2083859303F31D23A67BADEB40216B22F59718C7FE91215445D2C573CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:19.773{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E8854A8D0DB285CC4BE29404D2F623,SHA256=38A128F2119FFAF487CA4C4ADC9901460636964D77FBC48028BE09B9DEAE252B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:20.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE914C9E9F6469612862293427830036,SHA256=18BF5A9749E83F0AF46DE06F07FF7B95580F74E23F09DD369F098B99A72DB1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:20.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F136C7D01C1969032248B492B1723107,SHA256=C04FA368C5D2C9F5BC46C24F65038AAF69ED057F031B0D0873C019B64D804F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:21.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC731A06D351FC8AB81E9B7092CCE8CC,SHA256=8A3B7D96A7AF71E81CD73E3971C27E039BE307FA257E77B867F57C620B4A33E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:16.773{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60319-false10.0.1.12-8000- 23542300x80000000000000002270356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:22.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A15E12B5C6ED7B2A2A89F0B77099B6C,SHA256=21594D05370D553E254AAF23B718C91F2CC8150CC3D56A9F8994D5B2804B55DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:22.804{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EACC88CE6D81D5E18327CBCBCD8AA5E,SHA256=A8C4BE45E1A785498529B7470FF07A384C7906108BCC49AF7E1765654D4BB356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:23.820{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A209780C509FC6D6026DC8021DAD24D,SHA256=F1118483818EA9ED09AD908DAF0D5906BE74EAA66EB687BCBC19F4F2FB92400C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:23.054{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2833D0D273A4B23D982DBA409EDFACC0,SHA256=C0C65DB503C198D1F3B481C2194626CE26E25D8353FD8ABC8D79BD9937287984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:24.820{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF83E5F9AC54D17718AE7C7EEDAA190,SHA256=1F5FA5F6DC072F2C1177B7D7734FF4065D943AFB78F8202DBFD72FD2ADA868A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:25.867{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B698E927F4C5A2BE051E771CF9B2ED,SHA256=61DEBCF56EB3DF5FA2AA8A97B58D1AEC43BD7AECBD82EB4283E3BDB3B879C8FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:25.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1885F3AB951149853E1E16B2FCB3332B,SHA256=8C8EE1288CFA42CEDB29D7EC7B10334E4A831F5E77DA1595ECE9E811E746074D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:26.867{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B2106F8EF0AE05575D3BE9E411ACE8,SHA256=0D52C4C00E827D1991C802475D0ECA46D759066F91234585CE15A6CCDDD7B968,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:21.804{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60320-false10.0.1.12-8000- 23542300x80000000000000002270364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:27.898{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC90B09D6E56457F8765FA117245C19,SHA256=28492BCDE1C5EF319D6888911F112196EB47C87E5A58DD1F3F100935CFEA2300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:28.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8668AE38A2E210B1C6035458B576BDB6,SHA256=0CAADB2C04EE3B2ECF8DABEB579A2C8B57C31BCC77F98C9D9F502D3BADF8353F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:29.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D8B518616B2CF81B1E3CB228E533E5,SHA256=7F574260445C1B8E7303795E22521ADA475D77849D66EAA3D8D58E820E54C1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:30.929{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792050D315EBE3F1015CCF2D3ED1519,SHA256=2134705F6CA1FA8B516BD898D38BF038E1850AB5A126998C7C14C42958E70358,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:26.867{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60321-false10.0.1.12-8000- 23542300x80000000000000002270368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:30.242{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D841C37392738D67209F7CD97988D2,SHA256=CF91C934524C8C8B5FDCF91740863C014F0B0311B927B1FF29BDFE018C928C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:30.242{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C03EDE8823A37EE009E86EC276D66DCD,SHA256=2DAFD2E33DF8DAA82EB5096B301BA1A060D41359A974B11C7CA47A6585712FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:31.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8A7317F5599595CDF7318FEA0F3A6E,SHA256=7FC37EF35E923DAF9BEBE648E394C12F21846B97CF4F78B6F3C97C730431FE6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:31.445{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D841C37392738D67209F7CD97988D2,SHA256=CF91C934524C8C8B5FDCF91740863C014F0B0311B927B1FF29BDFE018C928C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:32.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2B0925AC718AE1DB567A063B0E6C78,SHA256=BE14D2A73AC947A288F55A34853BFB45B7CB0446FFD7A85FE7EF85544BFBA9A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:28.116{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54369- 23542300x80000000000000002270376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:33.976{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1616B187EC8E94505C7D885C99E242,SHA256=F5E3BA7A208AFEFC35D93FCBCF3A051B49D847BA06CB2DABAAD879874E21710C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:29.132{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54369- 23542300x80000000000000002270377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:34.976{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095F725BCBF7812B471B58713D90EDA2,SHA256=286A560338B95F3E8C1667A9CF5E131A29790CDFFFD7FF0E904794C968E818D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:35.992{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69DDCD1CFADCA6F024B7E4BA1632967,SHA256=97411C6BFF2774B35013E19103C4BF45A4C8976C524E05569F0758A2E16470D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:31.898{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60322-false10.0.1.12-8000- 23542300x80000000000000002270378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:35.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7147C8F29E53F7388E56B6FC4421DF1E,SHA256=0E729DD1CD9EED1754E51B25D37261706CF9DF23395A2F5D35FFFFAE6F60ED07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:37.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC54D1C17CB8150A39DF155FA73475B,SHA256=76E969DAC1EDF9CFC104E8AB6FAB1C9C0078FD35046A444DBEB9A025FBA8E009,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:35.319{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-52822-true2001:7fd:0:0:0:0:0:1k.root-servers.net53domain 23542300x80000000000000002270382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:38.054{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9727093E7DF40FAD885D65D038439C8D,SHA256=A32BE9506827C7748F79C3F63E0797AC855308A41CE69299F1816ADA37D0ADF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:39.413{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F61EFD11F61EE8D1DD0F81218E92DCF8,SHA256=34ADB21EADD4B6CA8D4B424A60E559B944DE4B224405E7814B3DD8CE5D576734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:39.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A461B56BAAE1AC90A8869C5414E2C5F1,SHA256=C7E92822BF38CE1CE4DC91DD1486FA515DF6985BDAB6ADBCE4118767741EB89D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:36.945{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60323-false10.0.1.12-8000- 23542300x80000000000000002270386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:40.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF7B8F18D7C29A473159139F231B040,SHA256=840C6377F0FE4DAEEB559E1C4D6D5AACFC64F5FF7EA92F7EF427C1372DA1AF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:41.085{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25C882763EA810CDE0AE82A91E70E2,SHA256=0A104376147BAD401DEE23D622343AC2F8B41A8524A9D44FC816B439F20445D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:42.929{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5619E9AA6529745CF1BDE9B9FD39BD5F,SHA256=238504484F0F5F5EE373A0670166DECE8FE34A8D2C0464B6DC124562491BEDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:42.101{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D98A1C0D824CDD77BC4F008BC7F92F,SHA256=54383372E60CB54D1EAD7EE3A2211C44C37BC524B3CC20E59B93E76487363B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:43.101{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC96056B3363BEC44108B7662471622D,SHA256=35E3F0F91A77CB2E48EFD82BE6E5B9E6E02AFDDBE1BFED0066FD70CCD184F91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:44.117{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA362DFA0FEB6714C511FAABE2B6546,SHA256=3A184943977A08E8520F058F7ED21F608826ECF4A1845CE84F84C8177C9F9492,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002270395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:41.976{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60325-false10.0.1.12-8000- 23542300x80000000000000002270394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:45.242{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8761BE33CCAF881A95495F77FF156E,SHA256=01910CB79F5B5DFF5163BC590BD6A1A8AA466F4C6AB6643B0B5D36961FB80FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:45.132{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3D5ED6D1D5F2EA75F27B9DE9C4B57D,SHA256=679329E803F3A000DBAB34643F35C0F334172424F101665200A8B3D5D54D4F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:46.148{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC149773A27082B2E682C0A7AA856CF3,SHA256=9FBC13D59D5227719D00006E9697CF56039C3FCDEDFF1EE2FA56E84480B1E91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002270397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 19:04:47.148{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AFEC2E9850600763F00C8760B034BA,SHA256=9F1F5490824F8935C14A635D5A67E23E6EF709F4EAE310803C6F9385B160E616,IMPHASH=00000000000000000000000000000000falsetrue